From: "Michael Montalbo via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Michael Montalbo <mmontalbo@gmail.com>,
Michael Montalbo <mmontalbo@gmail.com>
Subject: [PATCH 3/4] xdiff: guard against negative context lengths
Date: Tue, 05 May 2026 23:02:23 +0000 [thread overview]
Message-ID: <f9cfa0c55dde8f7e876b568f8ea7caf555ffff1c.1778022144.git.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.2105.git.1778022144.gitgitgadget@gmail.com>
From: Michael Montalbo <mmontalbo@gmail.com>
The xdemitconf_t fields ctxlen and interhunkctxlen are typed as long
(signed), but negative values are not meaningful for context line
counts. Unlike the diff_options fields changed in the previous two
commits, these cannot be converted to unsigned because the xdiff
arithmetic relies on signed subtraction:
s1 = XDL_MAX(xch->i1 - xecfg->ctxlen, 0);
If ctxlen were unsigned long, the signed operand would be implicitly
converted to unsigned, and the subtraction would wrap to a large
positive value when i1 < ctxlen, defeating the XDL_MAX clamp. The
signed type is required for correct context-window calculations.
The previous two commits reject negative values at the parse layer
for --inter-hunk-context and -U/--unified, so negative values should
no longer reach xdiff in normal use. Add BUG() guards at the top of
xdl_get_hunk() as defense in depth to catch programming errors in
current or future callers that bypass option parsing.
xdl_get_hunk() is called by both xdl_emit_diff() and
xdl_call_hunk_func(), so a single guard covers all xdiff consumers.
Signed-off-by: Michael Montalbo <mmontalbo@gmail.com>
---
xdiff/xemit.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/xdiff/xemit.c b/xdiff/xemit.c
index 04f7e9193b..7cd9cf0a44 100644
--- a/xdiff/xemit.c
+++ b/xdiff/xemit.c
@@ -46,12 +46,20 @@ static long saturating_add(long a, long b)
xdchange_t *xdl_get_hunk(xdchange_t **xscr, xdemitconf_t const *xecfg)
{
xdchange_t *xch, *xchp, *lxch;
- long max_common = saturating_add(saturating_add(xecfg->ctxlen,
- xecfg->ctxlen),
- xecfg->interhunkctxlen);
- long max_ignorable = xecfg->ctxlen;
+ long max_common;
+ long max_ignorable;
long ignored = 0; /* number of ignored blank lines */
+ if (xecfg->ctxlen < 0)
+ BUG("negative context length: %ld", xecfg->ctxlen);
+ if (xecfg->interhunkctxlen < 0)
+ BUG("negative inter-hunk context length: %ld", xecfg->interhunkctxlen);
+
+ max_common = saturating_add(saturating_add(xecfg->ctxlen,
+ xecfg->ctxlen),
+ xecfg->interhunkctxlen);
+ max_ignorable = xecfg->ctxlen;
+
/* remove ignorable changes that are too far before other changes */
for (xchp = *xscr; xchp && xchp->ignore; xchp = xchp->next) {
xch = xchp->next;
--
gitgitgadget
next prev parent reply other threads:[~2026-05-05 23:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 23:02 [PATCH 0/4] diff: reject negative context values Michael Montalbo via GitGitGadget
2026-05-05 23:02 ` [PATCH 1/4] diff: reject negative values for --inter-hunk-context Michael Montalbo via GitGitGadget
2026-05-05 23:02 ` [PATCH 2/4] diff: reject negative values for -U/--unified Michael Montalbo via GitGitGadget
2026-05-05 23:02 ` Michael Montalbo via GitGitGadget [this message]
2026-05-05 23:02 ` [PATCH 4/4] parse-options: clarify PARSE_OPT_NONEG does not reject negative numbers Michael Montalbo via GitGitGadget
2026-05-09 22:01 ` Junio C Hamano
2026-05-10 2:41 ` Michael Montalbo
2026-05-10 1:01 ` [PATCH 0/4] diff: reject negative context values Junio C Hamano
2026-05-10 2:46 ` Michael Montalbo
2026-05-12 18:10 ` [PATCH v2 " Michael Montalbo via GitGitGadget
2026-05-12 18:10 ` [PATCH v2 1/4] diff: reject negative values for --inter-hunk-context Michael Montalbo via GitGitGadget
2026-05-12 18:10 ` [PATCH v2 2/4] diff: reject negative values for -U/--unified Michael Montalbo via GitGitGadget
2026-05-12 18:10 ` [PATCH v2 3/4] xdiff: guard against negative context lengths Michael Montalbo via GitGitGadget
2026-05-12 18:10 ` [PATCH v2 4/4] parse-options: clarify what "negated" means for PARSE_OPT_NONEG Michael Montalbo via GitGitGadget
2026-05-13 1:16 ` [PATCH v2 0/4] diff: reject negative context values Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f9cfa0c55dde8f7e876b568f8ea7caf555ffff1c.1778022144.git.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=mmontalbo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.