Merge branch 'coverity-fixes-overflow' into HEAD

dscho · dscho · commit cd5de67cf457 · 2026-06-26T21:04:49.000+02:00
diff --git a/archive-tar.c b/archive-tar.c
@@ -210,6 +210,8 @@ static size_t get_path_prefix(const char *path, size_t pathlen, size_t maxlen)
 		i--;
 	if (i > maxlen)
 		i = maxlen;
+	if (!i)
+		return 0;
 	do {
 		i--;
 	} while (i > 0 && path[i] != '/');
diff --git a/date.c b/date.c
@@ -1298,7 +1298,13 @@ static const char *approxidate_alpha(const char *date, struct tm *tm, struct tm
 	while (tl->type) {
 		size_t len = strlen(tl->type);
 		if (match_string(date, tl->type) >= len-1) {
-			update_tm(tm, now, tl->length * *num);
+			time_t length = tl->length, num_t = *num;
+			time_t max_val = is_unsigned_type(length)
+				? maximum_unsigned_value_of_type(length)
+				: maximum_signed_value_of_type(length);
+			time_t seconds = mult_overflows(length, num_t)
+				? max_val : length * num_t;
+			update_tm(tm, now, seconds);
 			*num = 0;
 			*touched = 1;
 			return end;
diff --git a/git-compat-util.h b/git-compat-util.h
@@ -85,6 +85,18 @@ struct strbuf;
 
 #define bitsizeof(x)  (CHAR_BIT * sizeof(x))
 
+#if GIT_GNUC_PREREQ(3, 1)
+#define is_unsigned_type(a) ((__typeof__(a))-1 >= 0)
+#else
+/*
+ * Without __typeof__, we cannot portably determine signedness from a
+ * value alone. Fall back to assuming signed, which is correct for all
+ * current callers (time_t, off_t, ssize_t are signed on all platforms
+ * Git targets).
+ */
+#define is_unsigned_type(a) 0
+#endif
+
 #define maximum_signed_value_of_type(a) \
     (INTMAX_MAX >> (bitsizeof(intmax_t) - bitsizeof(a)))
 
@@ -111,6 +123,28 @@ struct strbuf;
 #define unsigned_mult_overflows(a, b) \
     ((a) && (b) > maximum_unsigned_value_of_type(a) / (a))
 
+/*
+ * Returns true if the multiplication of "a" and "b" will
+ * overflow or underflow a signed type. The types of "a" and "b"
+ * must match and must be signed. Note that this macro evaluates
+ * both "a" and "b" twice!
+ */
+#define signed_mult_overflows(a, b) \
+    (((a) > 0 && (b) > 0 && (a) > maximum_signed_value_of_type(a) / (b)) || \
+     ((a) < 0 && (b) < 0 && (a) < maximum_signed_value_of_type(a) / (b)) || \
+     ((a) > 0 && (b) < 0 && (b) < -(maximum_signed_value_of_type(a) / (a))) || \
+     ((a) < 0 && (b) > 0 && (a) < -(maximum_signed_value_of_type(b) / (b))))
+
+/*
+ * Returns true if the multiplication of "a" and "b" will overflow,
+ * regardless of whether the type is signed or unsigned.  Note that
+ * this macro evaluates both "a" and "b" twice!
+ */
+#define mult_overflows(a, b) \
+    (is_unsigned_type(a) \
+     ? unsigned_mult_overflows(a, b) \
+     : signed_mult_overflows(a, b))
+
 /*
  * Returns true if the left shift of "a" by "shift" bits will
  * overflow. The type of "a" must be unsigned.
@@ -502,8 +536,19 @@ void set_die_is_recursing_routine(int (*routine)(void));
  *
  *  See the skip_prefix macro below for an example of use.
  */
+/*
+ * Coverity's EVALUATION_ORDER checker mistakes the dead ternary branch
+ * for a live side effect: in skip_prefix(p, "x", &p) the expansion
+ * contains *(out) = (in) in a 0-conditional, which Coverity reads as a
+ * write to p while p is also read as the first argument.  Simplify the
+ * macro for Coverity to suppress 120+ false positives.
+ */
+#ifdef __COVERITY__
+#define CONST_OUTPARAM(in, out) (out)
+#else
 #define CONST_OUTPARAM(in, out) \
 	((const char **)(0 ? ((*(out) = (in)),(out)) : (out)))
+#endif
 
 /*
  * If the string "str" begins with the string found in "prefix", return true.
@@ -760,6 +805,10 @@ static inline uint64_t u64_add(uint64_t a, uint64_t b)
  */
 #define DEFAULT_IO_BUFFER_SIZE (128 * 1024)
 
+#ifndef SSIZE_MAX
+# define SSIZE_MAX ((ssize_t)(((size_t)-1) >> 1))
+#endif
+
 #ifdef HAVE_ALLOCA_H
 # include <alloca.h>
 # define xalloca(size)      (alloca(size))
diff --git a/http.c b/http.c
@@ -2862,7 +2862,7 @@ static size_t fwrite_sha1_file(char *ptr, size_t eltsize, size_t nmemb,
 {
 	unsigned char expn[4096];
 	size_t size = eltsize * nmemb;
-	int posn = 0;
+	size_t posn = 0;
 	struct http_object_request *freq = data;
 	struct active_request_slot *slot = freq->slot;
 
diff --git a/wrapper.c b/wrapper.c
@@ -288,6 +288,11 @@ ssize_t read_in_full(int fd, void *buf, size_t count)
 	char *p = buf;
 	ssize_t total = 0;
 
+	if (count > SSIZE_MAX) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	while (count > 0) {
 		ssize_t loaded = xread(fd, p, count);
 		if (loaded < 0)
@@ -307,6 +312,11 @@ ssize_t write_in_full(int fd, const void *buf, size_t count)
 	const char *p = buf;
 	ssize_t total = 0;
 
+	if (count > SSIZE_MAX) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	while (count > 0) {
 		ssize_t written = xwrite(fd, p, count);
 		if (written < 0)

Original file line number	Diff line number	Diff line change
`@@ -2862,7 +2862,7 @@ static size_t fwrite_sha1_file(char *ptr, size_t eltsize, size_t nmemb,`
`2862`	`2862`	`{`
`2863`	`2863`	`unsigned char expn[4096];`
`2864`	`2864`	`size_t size = eltsize * nmemb;`
`2865`		`- int posn = 0;`
	`2865`	`+ size_t posn = 0;`
`2866`	`2866`	`struct http_object_request *freq = data;`
`2867`	`2867`	`struct active_request_slot *slot = freq->slot;`
`2868`	`2868`