Patrick Steinhardt <ps@xxxxxx> writes:
> Handle allocation failures in `reftable_calloc()`.
>
> Signed-off-by: Patrick Steinhardt <ps@xxxxxx>
> ---
> reftable/basics.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/reftable/basics.c b/reftable/basics.c
> index 4adc98cf5de..b404900b5d9 100644
> --- a/reftable/basics.c
> +++ b/reftable/basics.c
> @@ -39,6 +39,8 @@ void *reftable_calloc(size_t nelem, size_t elsize)
> {
> size_t sz = st_mult(nelem, elsize);
> void *p = reftable_malloc(sz);
> + if (!p)
> + return NULL;
> memset(p, 0, sz);
> return p;
> }
Since this series is not about eradicating all avenues in reftable
library code that can lead to die(), but only about dealing with
allocation errors from the underlying malloc/realloc routines, I
think the code posted is perfectly fine as-is as a part of this
series, but since I noticed something, let me comment before I
forget.
When st_mult() detects overflow, you'd still die(), wouldn't you?
We'd probably want a variant of st_mult() that lets us notice a
condition that would yield too large a result, and code the above
like so,
size_t sz;
void *p;
if (st_mult_gently(nelem, elsize, &sz) ||
!((p = reftable_malloc(sz))))
return NULL;
memset(p, 0, sz);
return p;
or use the underlying helper ourselves, and say
size_t sz;
void *p;
if (unsigned_mult_overflows(nelem, elsize)) ||
!((sz = nelem * elsize, p = reftable_malloc(sz))))
return NULL;
memset(p, 0, sz);
return p;
which lets us without an extra helper but after writing it myself, I
find it a bit too wordy.
In a sense, it is on the borderline to handle st_mult() overflow in
this function for a topic whose theme is about allocation failures.
