From 6be184e15ca1c3d1b50d269dd94973c24773f6ec Mon Sep 17 00:00:00 2001
From: Marc Strapetz <marc.strapetz@syntevo.com>
Date: Fri, 15 Aug 2014 14:02:16 +0200
Subject: [PATCH] PackIndexV2 should check for possible corruption

Change-Id: I1803ec6d8141f07dd4085778da6461abe81c30a9
Signed-off-by: Marc Strapetz <marc.strapetz@syntevo.com>
---
 .../resources/org/eclipse/jgit/internal/JGitText.properties | 1 +
 .../src/org/eclipse/jgit/internal/JGitText.java             | 1 +
 .../org/eclipse/jgit/internal/storage/file/PackIndexV2.java | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
index 750b65c65..514e11c25 100644
--- a/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
+++ b/org.eclipse.jgit/resources/org/eclipse/jgit/internal/JGitText.properties
@@ -244,6 +244,7 @@ illegalStateExists=exists {0}
 improperlyPaddedBase64Input=Improperly padded Base64 input.
 incorrectHashFor=Incorrect hash for {0}; computed {1} as a {2} from {3} bytes.
 incorrectOBJECT_ID_LENGTH=Incorrect OBJECT_ID_LENGTH.
+indexFileCorruptedNegativeBucketCount=Invalid negative bucket count read from pack v2 index file: {0}
 indexFileIsInUse=Index file is in use
 indexFileIsTooLargeForJgit=Index file is too large for jgit
 indexSignatureIsInvalid=Index signature is invalid: {0}
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
index ed9451492..5d9524bed 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/JGitText.java
@@ -303,6 +303,7 @@ public static JGitText get() {
 	/***/ public String improperlyPaddedBase64Input;
 	/***/ public String incorrectHashFor;
 	/***/ public String incorrectOBJECT_ID_LENGTH;
+	/***/ public String indexFileCorruptedNegativeBucketCount;
 	/***/ public String indexFileIsInUse;
 	/***/ public String indexFileIsTooLargeForJgit;
 	/***/ public String indexSignatureIsInvalid;
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV2.java b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV2.java
index 5a5d1f77d..70cf20fb9 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV2.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/internal/storage/file/PackIndexV2.java
@@ -45,6 +45,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.Iterator;
 import java.util.NoSuchElementException;
@@ -113,7 +114,10 @@ class PackIndexV2 extends PackIndex {
 				offset32[k] = NO_BYTES;
 				crc32[k] = NO_BYTES;
 				continue;
-			}
+			} else if (bucketCnt < 0)
+				throw new IOException(MessageFormat.format(
+						JGitText.get().indexFileCorruptedNegativeBucketCount,
+						Long.valueOf(bucketCnt)));
 
 			final long nameLen = bucketCnt * Constants.OBJECT_ID_LENGTH;
 			if (nameLen > Integer.MAX_VALUE - 8) // see http://stackoverflow.com/a/8381338