PackIndexV1 should check for possible corruption

Change-Id: I1dd741d3e522e396950c30d2f96e9713d0439078
Signed-off-by: Marc Strapetz <marc.strapetz@syntevo.com>

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java
index 2d574d80a0b66a64c8657be58483ca148f87137d..ab3297ad2a9c862f1dc05f55cec4b3de22e14ef4 100644 (file)
--- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV1.java
@@ -54,6 +54,7 @@ import java.util.NoSuchElementException;
 import java.util.Set;
 
 import org.eclipse.jgit.errors.CorruptObjectException;
+import org.eclipse.jgit.internal.JGitText;
 import org.eclipse.jgit.lib.AbbreviatedObjectId;
 import org.eclipse.jgit.lib.AnyObjectId;
 import org.eclipse.jgit.lib.Constants;
@@ -88,7 +89,11 @@ class PackIndexV1 extends PackIndex {
                                n = (int) (idxHeader[k] - idxHeader[k - 1]);
                        }
                        if (n > 0) {
-                               idxdata[k] = new byte[n * (Constants.OBJECT_ID_LENGTH + 4)];
+                               final long len = n * (Constants.OBJECT_ID_LENGTH + 4);
+                               if (len > Integer.MAX_VALUE - 8) // http://stackoverflow.com/a/8381338
+                                       throw new IOException(JGitText.get().indexFileIsTooLargeForJgit);
+
+                               idxdata[k] = new byte[(int) len];
                                IO.readFully(fd, idxdata[k], 0, idxdata[k].length);
                        }
                }