mem-pool: use st_add() in mem_pool_strvfmt()

If len is INT_MAX in mem_pool_strvfmt(), then len + 1 overflows. Casting it to size_t would prevent that. Use st_add() to go a step further and make the addition *obviously* safe. The compiler can optimize the check away on platforms where SIZE_MAX > INT_MAX, i.e. basically everywhere. Signed-off-by: René Scharfe <l.s.r@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2024-03-31 20:53:07 +02:00 · 2024-03-31 20:53:07 +02:00 · ffeaf2f76a
--- a/mem-pool.c
+++ b/mem-pool.c
@ -115,6 +115,7 @@ static char *mem_pool_strvfmt(struct mem_pool *pool, const char *fmt,
 	size_t available = block ? block->end - block->next_free : 0;
 	va_list cp;
 	int len, len2;
+	size_t size;
 	char *ret;

 	va_copy(cp, ap);
@ -123,13 +124,14 @@ static char *mem_pool_strvfmt(struct mem_pool *pool, const char *fmt,
 	if (len < 0)
 		BUG("your vsnprintf is broken (returned %d)", len);

-	ret = mem_pool_alloc(pool, len + 1);  /* 1 for NUL */
+	size = st_add(len, 1); /* 1 for NUL */
+	ret = mem_pool_alloc(pool, size);

 	/* Shortcut; relies on mem_pool_alloc() not touching buffer contents. */
 	if (ret == next_free)
 		return ret;

-	len2 = vsnprintf(ret, len + 1, fmt, ap);
+	len2 = vsnprintf(ret, size, fmt, ap);
 	if (len2 != len)
 		BUG("your vsnprintf is broken (returns inconsistent lengths)");
 	return ret;