From 2ec71a7c0e5254eb588885a5d6a9d05108887e22 Mon Sep 17 00:00:00 2001 From: Shawn Pearce Date: Thu, 9 Nov 2017 09:12:59 -0800 Subject: [PATCH] Reject pack if delta exceeds array size limit JGit's delta handling code requires the target to be a single byte array. Any attempt to inflate a delta larger than fits in the 2GiB limit will fail with some form of array index exceptions. Check for this overflow early and abort pack parsing. Change-Id: I5bb3a71f1e4f4e0e89b8a177c7019a74ee6194da --- .../tst/org/eclipse/jgit/transport/PackParserTest.java | 2 +- .../src/org/eclipse/jgit/transport/PackParser.java | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java b/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java index b2497b879..3cce3d71f 100644 --- a/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java +++ b/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java @@ -270,7 +270,7 @@ public class PackParserTest extends RepositoryTestCase { fail("PackParser should have failed"); } catch (TooLargeObjectInPackException e) { assertTrue(e.getMessage().contains("13")); // max obj size - assertFalse(e.getMessage().contains("14")); // no delta size + assertTrue(e.getMessage().contains("14")); // delta size } } diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java index 833d2114c..d2ec39c0c 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java @@ -701,7 +701,7 @@ public abstract class PackParser { private final void checkIfTooLarge(int typeCode, long size) throws IOException { - if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size) + if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size) { switch (typeCode) { case Constants.OBJ_COMMIT: case Constants.OBJ_TREE: @@ -711,13 +711,17 @@ public abstract class PackParser { case Constants.OBJ_OFS_DELTA: case Constants.OBJ_REF_DELTA: - throw new TooLargeObjectInPackException(maxObjectSizeLimit); + throw new TooLargeObjectInPackException(size, maxObjectSizeLimit); default: throw new IOException(MessageFormat.format( JGitText.get().unknownObjectType, Integer.valueOf(typeCode))); } + } + if (size > Integer.MAX_VALUE - 8) { + throw new TooLargeObjectInPackException(size, Integer.MAX_VALUE - 8); + } } /**