On Sat, Dec 09, 2023 at 07:35:23AM +0900, Junio C Hamano wrote: > The "rev-list" and other commands in the "log" family, being the > oldest part of the system, use their own custom argument parsers, > and integer values of some options are parsed with atoi(), which > allows a non-digit after the number (e.g., "1q") to be silently > ignored. As a natural consequence, an argument that does not begin > with a digit (e.g., "q") silently becomes zero, too. > > Switch to use strtol_i() and parse_timestamp() appropriately to > catch bogus input. > > Note that one may naïvely expect that --max-count, --skip, etc., to > only take non-negative values, but we must allow them to also take > negative values, as an escape hatch to countermand a limit set by an > earlier option on the command line; the underlying variables are > initialized to (-1) and "--max-count=-1", for example, is a > legitimate way to reinitialize the limit. This all looks pretty reasonable to me. I couldn't help but think, though, that surely we have some helpers for this already? But the closest seems to be git_parse_int(), which also allows unit factors. I'm not sure if allowing "-n 1k" would be a feature or a bug. ;) I guess "strtol_i()" maybe is that helper already, though I did not even know it existed. Looks like it goes back to 2007, and is seldom used. I wonder if there are more spots that could benefit. I don't think there is any such helper for timestamps, but the checks in your parser look good (strtol_i() checks for overflow as we cast to int, but I don't think we need to do the same here since timestamp_t and parse_timestamp() should be matched). -Peff
