validate bytecode in case of a ClassFormatError

core/src/main/java/lucee/commons/lang/PhysicalClassLoader.java

@@ -56,6 +56,7 @@
 import lucee.runtime.type.Struct;
 import lucee.runtime.type.StructImpl;
 import lucee.runtime.type.util.KeyConstants;
+import lucee.transformer.bytecode.util.ASMUtil;
 import lucee.transformer.bytecode.util.ClassRenamer;
 
 /**
@@ -299,14 +300,21 @@ private Class<?> rename(Class<?> clazz, byte[] barr) {
 	}
 
 	private Class<?> _loadClass(String name, byte[] barr, boolean rename) {
-		Class<?> clazz = defineClass(name, barr, 0, barr.length);
-		if (clazz != null) {
-			if (!rename) loadedClasses.put(name, barr);
-			allLoadedClasses.put(name, barr);
+		try {
+			Class<?> clazz = defineClass(name, barr, 0, barr.length);
+
+			if (clazz != null) {
+				if (!rename) loadedClasses.put(name, barr);
+				allLoadedClasses.put(name, barr);
 
-			resolveClass(clazz);
+				resolveClass(clazz);
+			}
+			return clazz;
+		}
+		catch (ClassFormatError cfe) {
+			if (!ASMUtil.isValidBytecode(barr)) throw new RuntimeException("given bytcode for [" + name + "] is not valid");
+			throw cfe;
 		}
-		return clazz;
 	}
 
 	public Resource[] getJarResources() {

core/src/main/java/lucee/transformer/bytecode/util/ASMUtil.java

@@ -1313,4 +1313,22 @@ public static String getDescriptor(Type type) {
 		}
 		return desc;
 	}
+
+	/**
+	 * Validates the given byte array using the ASM library.
+	 *
+	 * @param className the name of the class being validated
+	 * @param bytecode the byte array representing the class
+	 */
+	public static boolean isValidBytecode(byte[] bytecode) {
+		try {
+			ClassReader classReader = new ClassReader(bytecode);
+			// Simply parse the bytecode; will throw if invalid
+			classReader.accept(null, 0);
+			return true;
+		}
+		catch (Exception e) {
+			return false;
+		}
+	}
 }