Merge branch 'coverity-fixes-overflow' into HEAD

Author: dscho

archive-tar.c

@@ -210,6 +210,8 @@ static size_t get_path_prefix(const char *path, size_t pathlen, size_t maxlen)
 		i--;
 	if (i > maxlen)
 		i = maxlen;
+	if (!i)
+		return 0;
 	do {
 		i--;
 	} while (i > 0 && path[i] != '/');

date.c

@@ -1272,7 +1272,13 @@ static const char *approxidate_alpha(const char *date, struct tm *tm, struct tm
 	while (tl->type) {
 		size_t len = strlen(tl->type);
 		if (match_string(date, tl->type) >= len-1) {
-			update_tm(tm, now, tl->length * *num);
+			time_t length = tl->length, num_t = *num;
+			time_t max_val = is_unsigned_type(length)
+				? maximum_unsigned_value_of_type(length)
+				: maximum_signed_value_of_type(length);
+			time_t seconds = mult_overflows(length, num_t)
+				? max_val : length * num_t;
+			update_tm(tm, now, seconds);
 			*num = 0;
 			*touched = 1;
 			return end;

git-compat-util.h

@@ -85,6 +85,8 @@ struct strbuf;
 
 #define bitsizeof(x)  (CHAR_BIT * sizeof(x))
 
+#define is_unsigned_type(a) ((typeof(a))-1 >= 0)
+
 #define maximum_signed_value_of_type(a) \
     (INTMAX_MAX >> (bitsizeof(intmax_t) - bitsizeof(a)))
 
@@ -111,6 +113,28 @@ struct strbuf;
 #define unsigned_mult_overflows(a, b) \
     ((a) && (b) > maximum_unsigned_value_of_type(a) / (a))
 
+/*
+ * Returns true if the multiplication of "a" and "b" will
+ * overflow or underflow a signed type. The types of "a" and "b"
+ * must match and must be signed. Note that this macro evaluates
+ * both "a" and "b" twice!
+ */
+#define signed_mult_overflows(a, b) \
+    (((a) > 0 && (b) > 0 && (a) > maximum_signed_value_of_type(a) / (b)) || \
+     ((a) < 0 && (b) < 0 && (a) < maximum_signed_value_of_type(a) / (b)) || \
+     ((a) > 0 && (b) < 0 && (b) < -(maximum_signed_value_of_type(a) / (a))) || \
+     ((a) < 0 && (b) > 0 && (a) < -(maximum_signed_value_of_type(b) / (b))))
+
+/*
+ * Returns true if the multiplication of "a" and "b" will overflow,
+ * regardless of whether the type is signed or unsigned.  Note that
+ * this macro evaluates both "a" and "b" twice!
+ */
+#define mult_overflows(a, b) \
+    (is_unsigned_type(a) \
+     ? unsigned_mult_overflows(a, b) \
+     : signed_mult_overflows(a, b))
+
 /*
  * Returns true if the left shift of "a" by "shift" bits will
  * overflow. The type of "a" must be unsigned.
@@ -502,8 +526,19 @@ void set_die_is_recursing_routine(int (*routine)(void));
  *
  *  See the skip_prefix macro below for an example of use.
  */
+/*
+ * Coverity's EVALUATION_ORDER checker mistakes the dead ternary branch
+ * for a live side effect: in skip_prefix(p, "x", &p) the expansion
+ * contains *(out) = (in) in a 0-conditional, which Coverity reads as a
+ * write to p while p is also read as the first argument.  Simplify the
+ * macro for Coverity to suppress 120+ false positives.
+ */
+#ifdef __COVERITY__
+#define CONST_OUTPARAM(in, out) (out)
+#else
 #define CONST_OUTPARAM(in, out) \
 	((const char **)(0 ? ((*(out) = (in)),(out)) : (out)))
+#endif
 
 /*
  * If the string "str" begins with the string found in "prefix", return true.

http.c

@@ -2819,7 +2819,7 @@ static size_t fwrite_sha1_file(char *ptr, size_t eltsize, size_t nmemb,
 {
 	unsigned char expn[4096];
 	size_t size = eltsize * nmemb;
-	int posn = 0;
+	size_t posn = 0;
 	struct http_object_request *freq = data;
 	struct active_request_slot *slot = freq->slot;
 

wrapper.c

@@ -288,6 +288,11 @@ ssize_t read_in_full(int fd, void *buf, size_t count)
 	char *p = buf;
 	ssize_t total = 0;
 
+	if (count > SSIZE_MAX) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	while (count > 0) {
 		ssize_t loaded = xread(fd, p, count);
 		if (loaded < 0)
@@ -307,6 +312,11 @@ ssize_t write_in_full(int fd, const void *buf, size_t count)
 	const char *p = buf;
 	ssize_t total = 0;
 
+	if (count > SSIZE_MAX) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	while (count > 0) {
 		ssize_t written = xwrite(fd, p, count);
 		if (written < 0)