Pack200: enforce strict attribute layout parsing (apache#747)

* Pack200: enforce strict attribute layout parsing

The parser for the [Pack200 attribute layout definitions](https://docs.oracle.com/en/java/javase/11/docs/specs/pack-spec.html#attribute-layout-definitions) micro-language was previously overly permissive, allowing invalid layouts and masking archive corruption.

This change implements strict parsing in accordance with the [Java 11 specification](https://docs.oracle.com/en/java/javase/11/docs/specs/pack-spec.html) and removes duplication of the micro-language parsing logic between `pack200.NewAttributeBands` and `unpack200.NewAttributeBands`.

* fix: PMD failure

* fix: restore purpose of `lastPIntegral`

* fix: remove type parameters from Javadoc

This fails on JDK up to 11 and is yet another Javadoc quirk.

* fix: additional bracket in Javadoc

* fix: AttributeLayoutParser Javadoc

* fix: formatting

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: Javadoc copy/paste

* fix: remove unused import

* fix: additional Javadoc

* fix: `checkAnyIntTag` error message

* fix: remove difference `AttributeLayoutElement`/`LayoutElement`

* feat: add tests with deeply nested layouts

* fix: Add nesting level limit

This change adds a limit to the nesting level of `layout_element`s (64). Since all standard attribute layouts have a nesting level lower than 3, the limit should be suitable for most purposes.

* fix: AttributeLayoutUtils Javadoc

* fix: invalid test assertions

* fix: checkstyle

* Replace `Range<Integer>` with `IntegerRange`

* Improve internal package Javadoc

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: ppkarwasz

pom.xml

@@ -50,6 +50,11 @@ Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
     <commons.distSvnStagingUrl>scm:svn:https://dist.apache.org/repos/dist/dev/commons/${commons.componentid}</commons.distSvnStagingUrl>
     <commons.manifestlocation>${project.build.outputDirectory}/META-INF</commons.manifestlocation>
     <commons.manifestfile>${commons.manifestlocation}/MANIFEST.MF</commons.manifestfile>
+    <!-- Don't export internal packages in OSGi manifest -->
+    <commons.osgi.export>
+      !org.apache.commons.*.internal.*,
+      org.apache.commons.*;version=${project.version};-noimport:=true
+    </commons.osgi.export>
     <commons.osgi.import>
       org.tukaani.xz;resolution:=optional,
       org.brotli.dec;resolution:=optional,
@@ -540,14 +545,42 @@ Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
       </build>
     </profile>
     <profile>
-      <id>java9+</id>
+      <!-- Same id as the `commons-parent` profile it extends -->
+      <id>java-9-up</id>
       <activation>
         <jdk>[9,)</jdk>
       </activation>
       <properties>
         <maven.compiler.release>8</maven.compiler.release>
         <animal.sniffer.skip>true</animal.sniffer.skip>
       </properties>
+      <!--
+        Excludes internal packages from the list of exported packages.
+      -->
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.moditect</groupId>
+            <artifactId>moditect-maven-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>add-module-infos</id>
+                <configuration>
+                  <module>
+                    <moduleInfo>
+                      <exports>
+                        !org.apache.commons.compress.harmony.internal.*;
+                        !org.apache.commons.compress.harmony.archive.internal.*;
+                        *;
+                      </exports>
+                    </moduleInfo>
+                  </module>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
     </profile>
     <profile>
       <id>java17</id>

src/changes/changes.xml

@@ -86,6 +86,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action type="fix" dev="pkarwasz" due-to="Piotr P. Karwasz">Add strict header validation in ARJ input stream and `selfExtracting` option.</action>
       <!-- FIX unpack200 -->
       <action type="fix" dev="ggregory" due-to="Gary Gregory, Stanislav Fort">org.apache.commons.compress.harmony.unpack200 now throws Pack200Exception, IllegalArgumentException, and IllegalStateException instead of other runtime exceptions and Error.</action>
+      <action type="fix" dev="pkarwasz" due-to="Piotr P. Karwasz">Enforce strict attribute layout parsing in Pack200.</action>
       <!-- FIX pack200 -->      
       <action type="fix" dev="ggregory" due-to="Gary Gregory, Igor Morgenstern">org.apache.commons.compress.harmony.pack200 now throws Pack200Exception, IllegalArgumentException, IllegalStateException, instead of other runtime exceptions and Error.</action>
       <action type="fix" dev="ppkarwasz" due-to="Raeps">Extract duplicate code in org.apache.commons.compress.harmony.pack200.IntList.</action>

src/main/java/org/apache/commons/compress/harmony/archive/internal/nls/package-info.java

@@ -16,8 +16,13 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
 /**
- * Internal package.
+ * Internal implementation package, <strong>not for public use</strong>.
+ *
+ * <p>This package is deliberately <strong>not exported</strong> in either the OSGi manifest or the JPMS module descriptor, preventing access from external code
+ * and other modules.</p>
+ *
+ * <p>All classes and methods in this package are implementation details and may change or be removed at any time without notice. External code must not depend
+ * on them.</p>
  */
 package org.apache.commons.compress.harmony.archive.internal.nls;