From 310e858f818405d6ad4b9758f22abebd26d0ea88 Mon Sep 17 00:00:00 2001
From: Christian Halstrick <christian.halstrick@sap.com>
Date: Tue, 15 Dec 2015 09:24:07 +0100
Subject: [PATCH] Fix possible arithmetic overflow when setting a timeout

BasePackPushConnection#readStringLongTimeout() was setting a timeout 10
times bigger than some other timeout or the pack transfer time. This
could lead to negative integer values when we hit an arithmetic
overflow. Add a check for this situation and set the timeout to
Integer.MAX_VALUE when overflow happens.

Bug: 484352
CC: Eugene Petrenko <eugene.petrenko@gmail.com>
Change-Id: Ie2a86312c1bcb1ec3e6388fa490ab3c845d41808
---
 .../src/org/eclipse/jgit/transport/BasePackPushConnection.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackPushConnection.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackPushConnection.java
index 4499f66d5..963de35d4 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackPushConnection.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/BasePackPushConnection.java
@@ -385,7 +385,8 @@ public abstract class BasePackPushConnection extends BasePackConnection implemen
 		final int oldTimeout = timeoutIn.getTimeout();
 		final int sendTime = (int) Math.min(packTransferTime, 28800000L);
 		try {
-			timeoutIn.setTimeout(10 * Math.max(sendTime, oldTimeout));
+			int timeout = 10 * Math.max(sendTime, oldTimeout);
+			timeoutIn.setTimeout((timeout < 0) ? Integer.MAX_VALUE : timeout);
 			return pckIn.readString();
 		} finally {
 			timeoutIn.setTimeout(oldTimeout);