From c6c5f11eae145d8e8c655e622f0fc5dd74e6db2a Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sat, 20 Apr 2024 11:13:37 -0400
Subject: [PATCH] Base64 constructor makes a better defensive copy of the line
 separator array

---
 src/changes/changes.xml                               |  1 +
 .../java/org/apache/commons/codec/binary/Base64.java  | 11 ++++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 359a4155ba..018e6f41d6 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -49,6 +49,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Optimize memory allocation in PhoneticEngine.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">BCodec and QCodec encode() methods throw UnsupportedCharsetException instead of EncoderException.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Set Javadoc link to latest Java API LTS version.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Base64 constructor makes a better defensive copy of the line separator array.</action>
       <!-- ADD -->
       <action type="add" dev="ggregory" due-to="Gary Gregory">Add override org.apache.commons.codec.language.bm.Rule.PhonemeExpr.size().</action>
       <action type="add" dev="ggregory" due-to="Chris Kocel, Gary Gregory">Add support for Base64 custom alphabets #266.</action>
diff --git a/src/main/java/org/apache/commons/codec/binary/Base64.java b/src/main/java/org/apache/commons/codec/binary/Base64.java
index dc5c2b3bc5..5f927b053a 100644
--- a/src/main/java/org/apache/commons/codec/binary/Base64.java
+++ b/src/main/java/org/apache/commons/codec/binary/Base64.java
@@ -661,7 +661,7 @@ public Base64(final int lineLength, final byte[] lineSeparator, final boolean ur
      *            4). If lineLength &lt;= 0, then the output will not be divided into lines (chunks). Ignored when
      *            decoding.
      * @param lineSeparator
-     *            Each line of encoded data will end with this sequence of bytes.
+     *            Each line of encoded data will end with this sequence of bytes; the constructor makes a defensive copy.
      * @param padding padding byte.
      * @param encodeTable
      *            The manual encodeTable - a byte array of 64 chars.
@@ -683,13 +683,14 @@ private Base64(final int lineLength, final byte[] lineSeparator, final byte padd
         // TODO could be simplified if there is no requirement to reject invalid line sep when length <=0
         // @see test case Base64Test.testConstructors()
         if (lineSeparator != null) {
-            if (containsAlphabetOrPad(lineSeparator)) {
-                final String sep = StringUtils.newStringUtf8(lineSeparator);
+            final byte[] lineSeparatorCopy = lineSeparator.clone();
+            if (containsAlphabetOrPad(lineSeparatorCopy)) {
+                final String sep = StringUtils.newStringUtf8(lineSeparatorCopy);
                 throw new IllegalArgumentException("lineSeparator must not contain base64 characters: [" + sep + "]");
             }
             if (lineLength > 0) { // null line-sep forces no chunking rather than throwing IAE
-                this.encodeSize = BYTES_PER_ENCODED_BLOCK + lineSeparator.length;
-                this.lineSeparator = lineSeparator.clone();
+                this.encodeSize = BYTES_PER_ENCODED_BLOCK + lineSeparatorCopy.length;
+                this.lineSeparator = lineSeparatorCopy;
             } else {
                 this.encodeSize = BYTES_PER_ENCODED_BLOCK;
                 this.lineSeparator = null;