From f2ebc8d4c5af5bfaf519d19a72eba477d10d86aa Mon Sep 17 00:00:00 2001 From: Marc Strapetz Date: Mon, 8 Sep 2014 17:02:33 +0200 Subject: [PATCH] PackIndexV1 should check for possible corruption Change-Id: I1dd741d3e522e396950c30d2f96e9713d0439078 Signed-off-by: Marc Strapetz --- .../eclipse/jgit/internal/storage/file/PackIndexV1.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java index 2d574d80a..ab3297ad2 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java @@ -54,6 +54,7 @@ import java.util.NoSuchElementException; import java.util.Set; import org.eclipse.jgit.errors.CorruptObjectException; +import org.eclipse.jgit.internal.JGitText; import org.eclipse.jgit.lib.AbbreviatedObjectId; import org.eclipse.jgit.lib.AnyObjectId; import org.eclipse.jgit.lib.Constants; @@ -88,7 +89,11 @@ class PackIndexV1 extends PackIndex { n = (int) (idxHeader[k] - idxHeader[k - 1]); } if (n > 0) { - idxdata[k] = new byte[n * (Constants.OBJECT_ID_LENGTH + 4)]; + final long len = n * (Constants.OBJECT_ID_LENGTH + 4); + if (len > Integer.MAX_VALUE - 8) // http://stackoverflow.com/a/8381338 + throw new IOException(JGitText.get().indexFileIsTooLargeForJgit); + + idxdata[k] = new byte[(int) len]; IO.readFully(fd, idxdata[k], 0, idxdata[k].length); } }