From 2ec71a7c0e5254eb588885a5d6a9d05108887e22 Mon Sep 17 00:00:00 2001
From: Shawn Pearce <spearce@spearce.org>
Date: Thu, 9 Nov 2017 09:12:59 -0800
Subject: [PATCH] Reject pack if delta exceeds array size limit

JGit's delta handling code requires the target to be a single byte
array. Any attempt to inflate a delta larger than fits in the 2GiB
limit will fail with some form of array index exceptions. Check for
this overflow early and abort pack parsing.

Change-Id: I5bb3a71f1e4f4e0e89b8a177c7019a74ee6194da
---
 .../tst/org/eclipse/jgit/transport/PackParserTest.java    | 2 +-
 .../src/org/eclipse/jgit/transport/PackParser.java        | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java b/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java
index b2497b879..3cce3d71f 100644
--- a/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java
+++ b/org.eclipse.jgit.test/tst/org/eclipse/jgit/transport/PackParserTest.java
@@ -270,7 +270,7 @@ public class PackParserTest extends RepositoryTestCase {
 			fail("PackParser should have failed");
 		} catch (TooLargeObjectInPackException e) {
 			assertTrue(e.getMessage().contains("13")); // max obj size
-			assertFalse(e.getMessage().contains("14")); // no delta size
+			assertTrue(e.getMessage().contains("14")); // delta size
 		}
 	}
 
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java
index 833d2114c..d2ec39c0c 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java
@@ -701,7 +701,7 @@ public abstract class PackParser {
 
 	private final void checkIfTooLarge(int typeCode, long size)
 			throws IOException {
-		if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size)
+		if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size) {
 			switch (typeCode) {
 			case Constants.OBJ_COMMIT:
 			case Constants.OBJ_TREE:
@@ -711,13 +711,17 @@ public abstract class PackParser {
 
 			case Constants.OBJ_OFS_DELTA:
 			case Constants.OBJ_REF_DELTA:
-				throw new TooLargeObjectInPackException(maxObjectSizeLimit);
+				throw new TooLargeObjectInPackException(size, maxObjectSizeLimit);
 
 			default:
 				throw new IOException(MessageFormat.format(
 						JGitText.get().unknownObjectType,
 						Integer.valueOf(typeCode)));
 			}
+		}
+		if (size > Integer.MAX_VALUE - 8) {
+			throw new TooLargeObjectInPackException(size, Integer.MAX_VALUE - 8);
+		}
 	}
 
 	/**