As documented in 320d0b493a2 (add helpers for detecting size_t overflow, 2016-02-19) the arguments to st_mult() and st_add() "must be unsigned". This code added in d9c66f0b5bf (range-diff: first rudimentary implementation, 2018-08-13) operates on signed int. In subsequent commits further overflows resulting in segfaults will be fixed in this code, but let's start by removing this supposed guard that does nothing except give us a false sense of security. E.g. providing an "n" of INT_MAX here will result in "1" on my system, causing us to write into memory. There are other such issues left in the codebase, e.g. the code in "builtin/clean.c" changed in 50a6c8efa2b (use st_add and st_mult for allocation size computation, 2016-02-22). But let's focus on range-diff.c for now. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx> --- range-diff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/range-diff.c b/range-diff.c index cac89a2f4f2..170e8623313 100644 --- a/range-diff.c +++ b/range-diff.c @@ -312,7 +312,7 @@ static void get_correspondences(struct string_list *a, struct string_list *b, int *cost, c, *a2b, *b2a; int i, j; - ALLOC_ARRAY(cost, st_mult(n, n)); + ALLOC_ARRAY(cost, n * n); ALLOC_ARRAY(a2b, n); ALLOC_ARRAY(b2a, n); -- 2.34.1.930.g0f9292b224d
