Browse Source

PackIndexV1 should check for possible corruption

Change-Id: I1dd741d3e522e396950c30d2f96e9713d0439078
Signed-off-by: Marc Strapetz <marc.strapetz@syntevo.com>
stable-3.6
Marc Strapetz 10 years ago
parent
commit
f2ebc8d4c5
  1. 7
      org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java

7
org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java

@ -54,6 +54,7 @@ import java.util.NoSuchElementException;
import java.util.Set; import java.util.Set;
import org.eclipse.jgit.errors.CorruptObjectException; import org.eclipse.jgit.errors.CorruptObjectException;
import org.eclipse.jgit.internal.JGitText;
import org.eclipse.jgit.lib.AbbreviatedObjectId; import org.eclipse.jgit.lib.AbbreviatedObjectId;
import org.eclipse.jgit.lib.AnyObjectId; import org.eclipse.jgit.lib.AnyObjectId;
import org.eclipse.jgit.lib.Constants; import org.eclipse.jgit.lib.Constants;
@ -88,7 +89,11 @@ class PackIndexV1 extends PackIndex {
n = (int) (idxHeader[k] - idxHeader[k - 1]); n = (int) (idxHeader[k] - idxHeader[k - 1]);
} }
if (n > 0) { if (n > 0) {
idxdata[k] = new byte[n * (Constants.OBJECT_ID_LENGTH + 4)]; final long len = n * (Constants.OBJECT_ID_LENGTH + 4);
if (len > Integer.MAX_VALUE - 8) // http://stackoverflow.com/a/8381338
throw new IOException(JGitText.get().indexFileIsTooLargeForJgit);
idxdata[k] = new byte[(int) len];
IO.readFully(fd, idxdata[k], 0, idxdata[k].length); IO.readFully(fd, idxdata[k], 0, idxdata[k].length);
} }
} }

Loading…
Cancel
Save