diff options
author | Shawn Pearce <spearce@spearce.org> | 2017-11-09 09:12:59 -0800 |
---|---|---|
committer | Shawn Pearce <spearce@spearce.org> | 2017-11-09 09:27:54 -0800 |
commit | 2ec71a7c0e5254eb588885a5d6a9d05108887e22 (patch) | |
tree | b7e2404ea16ca5f1e310d213d4ee6d97af2c2a57 /org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java | |
parent | fdf8620ec95ad18d698b928b193907e3a3c0558e (diff) | |
download | jgit-2ec71a7c0e5254eb588885a5d6a9d05108887e22.tar.gz jgit-2ec71a7c0e5254eb588885a5d6a9d05108887e22.zip |
Reject pack if delta exceeds array size limit
JGit's delta handling code requires the target to be a single byte
array. Any attempt to inflate a delta larger than fits in the 2GiB
limit will fail with some form of array index exceptions. Check for
this overflow early and abort pack parsing.
Change-Id: I5bb3a71f1e4f4e0e89b8a177c7019a74ee6194da
Diffstat (limited to 'org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java')
-rw-r--r-- | org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java index 833d2114cf..d2ec39c0c5 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/PackParser.java @@ -701,7 +701,7 @@ public abstract class PackParser { private final void checkIfTooLarge(int typeCode, long size) throws IOException { - if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size) + if (0 < maxObjectSizeLimit && maxObjectSizeLimit < size) { switch (typeCode) { case Constants.OBJ_COMMIT: case Constants.OBJ_TREE: @@ -711,13 +711,17 @@ public abstract class PackParser { case Constants.OBJ_OFS_DELTA: case Constants.OBJ_REF_DELTA: - throw new TooLargeObjectInPackException(maxObjectSizeLimit); + throw new TooLargeObjectInPackException(size, maxObjectSizeLimit); default: throw new IOException(MessageFormat.format( JGitText.get().unknownObjectType, Integer.valueOf(typeCode))); } + } + if (size > Integer.MAX_VALUE - 8) { + throw new TooLargeObjectInPackException(size, Integer.MAX_VALUE - 8); + } } /** |