From fcc70e6fa1271158dd8f3a90350fa2589713f257 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sat, 20 Apr 2024 13:44:17 -0400
Subject: [PATCH] Base32 constructor makes a defensive copy of the line
 separator array

---
 src/changes/changes.xml                                  | 1 +
 .../java/org/apache/commons/codec/binary/Base32.java     | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index c88d2d7c4a..01ee6076e9 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -49,6 +49,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Optimize memory allocation in PhoneticEngine.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">BCodec and QCodec encode() methods throw UnsupportedCharsetException instead of EncoderException.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Set Javadoc link to latest Java API LTS version.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Base32 constructor makes a defensive copy of the line separator array.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Base64 constructor makes a defensive copy of the line separator array.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Base64 constructor makes a defensive copy of a custom alphabet array.</action>
       <!-- ADD -->
diff --git a/src/main/java/org/apache/commons/codec/binary/Base32.java b/src/main/java/org/apache/commons/codec/binary/Base32.java
index 47f136f8b5..ebbb57e353 100644
--- a/src/main/java/org/apache/commons/codec/binary/Base32.java
+++ b/src/main/java/org/apache/commons/codec/binary/Base32.java
@@ -359,13 +359,14 @@ private Base32(final int lineLength, final byte[] lineSeparator, final byte[] en
             if (lineSeparator == null) {
                 throw new IllegalArgumentException("lineLength " + lineLength + " > 0, but lineSeparator is null");
             }
+            final byte[] lineSeparatorCopy = lineSeparator.clone();
             // Must be done after initializing the tables
-            if (containsAlphabetOrPad(lineSeparator)) {
-                final String sep = StringUtils.newStringUtf8(lineSeparator);
+            if (containsAlphabetOrPad(lineSeparatorCopy)) {
+                final String sep = StringUtils.newStringUtf8(lineSeparatorCopy);
                 throw new IllegalArgumentException("lineSeparator must not contain Base32 characters: [" + sep + "]");
             }
-            this.encodeSize = BYTES_PER_ENCODED_BLOCK + lineSeparator.length;
-            this.lineSeparator = lineSeparator.clone();
+            this.encodeSize = BYTES_PER_ENCODED_BLOCK + lineSeparatorCopy.length;
+            this.lineSeparator = lineSeparatorCopy;
         } else {
             this.encodeSize = BYTES_PER_ENCODED_BLOCK;
             this.lineSeparator = null;