From: Jeff King <peff@peff.net>
To: Eric Sunshine <sunshine@sunshineco.com>
Cc: Git List <git@vger.kernel.org>
Subject: Re: [PATCH 05/18] convert trivial cases to ALLOC_ARRAY
Date: Tue, 16 Feb 2016 00:46:37 -0500 [thread overview]
Message-ID: <20160216054637.GA28237@sigill.intra.peff.net> (raw)
In-Reply-To: <CAPig+cSn29QtcWKRAaKMDzObuXetEySrVtLogkzfZXKXjPeufQ@mail.gmail.com>
On Mon, Feb 15, 2016 at 11:32:25PM -0500, Eric Sunshine wrote:
> On Mon, Feb 15, 2016 at 11:23 PM, Jeff King <peff@peff.net> wrote:
> > On Mon, Feb 15, 2016 at 11:22:12PM -0500, Eric Sunshine wrote:
> >> On Mon, Feb 15, 2016 at 4:51 PM, Jeff King <peff@peff.net> wrote:
> >> > - path = xmalloc((n+1)*sizeof(char *));
> >> > + ALLOC_ARRAY(path, n+1);
> >>
> >> Elsewhere in this patch, you've reformatted "x+c" as "x + c"; perhaps
> >> do so here, as well.
> >
> > Will do. I noticed while going over this before sending it out that it
> > may also be technically possible for "n+1" to overflow here (and I think
> > in a few other places in this patch). I don't know how paranoid we want
> > to be.
>
> Yes, I also noticed those and considered mentioning it. There was also
> some multiplication which might be of concern.
>
> ALLOC_ARRAY(graph->mapping, 2 * graph->column_capacity);
>
> It would be easy enough to manually call st_add() and st_mult() for
> those cases, but I haven't examined them closely enough to determine
> how likely they would be to overflow, nor do I know if the resulting
> noisiness of code is desirable.
Yeah, I'm quite sure that one is safe (we set column_capacity to a fixed
integer immediately beforehand). And many of the "+" ones are likely
safe, too. If "n" is close to wrapping, then allocating "n" structs
will probably fail beforehand (though not always, if you have a ton of
RAM and "n" is a signed int).
But part of the point of this series is that we shouldn't have to wonder
if things are safe. They should just be obviously so, and we should err
on the side of caution. So I think it probably _is_ worth sprinkling
st_add() calls in those places. I'll take a look for the re-roll.
-Peff
next prev parent reply other threads:[~2016-02-16 5:47 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-15 21:45 [PATCH 0/18] hardening allocations against integer overflow Jeff King
2016-02-15 21:49 ` [PATCH 01/18] add helpers for detecting size_t overflow Jeff King
2016-02-15 21:49 ` [PATCH 02/18] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-15 21:50 ` [PATCH 03/18] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-15 21:50 ` [PATCH 04/18] add helpers for allocating flex-array structs Jeff King
2016-02-16 1:47 ` Eric Sunshine
2016-02-16 2:52 ` Jeff King
2016-02-15 21:51 ` [PATCH 05/18] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-16 4:22 ` Eric Sunshine
2016-02-16 4:23 ` Jeff King
2016-02-16 4:32 ` Eric Sunshine
2016-02-16 5:46 ` Jeff King [this message]
2016-02-15 21:52 ` [PATCH 06/18] use xmallocz to avoid size arithmetic Jeff King
2016-02-15 21:52 ` [PATCH 07/18] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-16 2:17 ` Eric Sunshine
2016-02-16 3:15 ` Jeff King
2016-02-16 3:26 ` Jeff King
2016-02-16 3:36 ` Jeff King
2016-02-16 4:18 ` Eric Sunshine
2016-02-16 4:22 ` Jeff King
2016-02-16 4:10 ` Eric Sunshine
2016-02-15 21:53 ` [PATCH 08/18] use st_add and st_mult for allocation size computation Jeff King
2016-02-16 5:47 ` Eric Sunshine
2016-02-15 21:53 ` [PATCH 09/18] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-15 21:54 ` [PATCH 10/18] fast-import: simplify allocation in start_packfile Jeff King
2016-02-15 21:54 ` [PATCH 11/18] fetch-pack: simplify add_sought_entry Jeff King
2016-02-15 21:55 ` [PATCH 12/18] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-15 21:56 ` [PATCH 13/18] sequencer: simplify memory allocation of get_message Jeff King
2016-02-16 6:05 ` Eric Sunshine
2016-02-15 21:56 ` [PATCH 14/18] git-compat-util: drop mempcpy compat code Jeff King
2016-02-16 6:05 ` Eric Sunshine
2016-02-15 21:56 ` [PATCH 15/18] transport_anonymize_url: use xstrfmt Jeff King
2016-02-15 21:56 ` [PATCH 16/18] diff_populate_gitlink: use a strbuf Jeff King
2016-02-15 21:57 ` [PATCH 17/18] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-15 21:57 ` [PATCH 18/18] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-15 22:02 ` [PATCH 0/18] hardening allocations against integer overflow Jeff King
2016-02-19 11:19 ` [PATCH v2 0/21] " Jeff King
2016-02-19 11:21 ` [PATCH 01/21] reflog_expire_cfg: NUL-terminate pattern field Jeff King
2016-02-19 11:21 ` [PATCH 02/21] add helpers for detecting size_t overflow Jeff King
2016-02-19 11:21 ` [PATCH 03/21] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-19 11:22 ` [PATCH 04/21] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-20 21:32 ` René Scharfe
2016-02-21 23:30 ` Jeff King
2016-02-19 11:22 ` [PATCH 05/21] add helpers for allocating flex-array structs Jeff King
2016-02-19 11:23 ` [PATCH 06/21] convert manual allocations to argv_array Jeff King
2016-02-20 8:07 ` Eric Sunshine
2016-02-20 8:10 ` Jeff King
2016-02-20 8:29 ` Eric Sunshine
2016-02-20 8:34 ` Jeff King
2016-02-20 8:39 ` Eric Sunshine
2016-02-20 8:57 ` Jeff King
2016-02-20 9:04 ` Eric Sunshine
2016-02-19 11:23 ` [PATCH 07/21] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-19 11:23 ` [PATCH 08/21] use xmallocz to avoid size arithmetic Jeff King
2016-02-19 11:23 ` [PATCH 09/21] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-19 11:23 ` [PATCH 10/21] use st_add and st_mult for allocation size computation Jeff King
2016-02-19 11:24 ` [PATCH 11/21] prepare_{git,shell}_cmd: use argv_array Jeff King
2016-02-19 11:24 ` [PATCH 12/21] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-19 11:24 ` [PATCH 13/21] fast-import: simplify allocation in start_packfile Jeff King
2016-02-19 17:48 ` Junio C Hamano
2016-02-19 19:12 ` Jeff King
2016-02-19 11:24 ` [PATCH 14/21] fetch-pack: simplify add_sought_entry Jeff King
2016-02-19 11:24 ` [PATCH 15/21] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-19 11:25 ` [PATCH 16/21] sequencer: simplify memory allocation of get_message Jeff King
2016-02-19 11:25 ` [PATCH 17/21] git-compat-util: drop mempcpy compat code Jeff King
2016-02-19 11:25 ` [PATCH 18/21] transport_anonymize_url: use xstrfmt Jeff King
2016-02-19 11:25 ` [PATCH 19/21] diff_populate_gitlink: use a strbuf Jeff King
2016-02-19 11:25 ` [PATCH 20/21] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-19 11:25 ` [PATCH 21/21] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-22 22:41 ` [PATCH v3 0/22] hardening allocations against integer overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 01/22] reflog_expire_cfg: NUL-terminate pattern field Jeff King
2016-02-22 22:43 ` [PATCH v3 02/22] add helpers for detecting size_t overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 03/22] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-22 22:43 ` [PATCH v3 04/22] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 05/22] add helpers for allocating flex-array structs Jeff King
2016-02-22 22:44 ` [PATCH v3 06/22] argv-array: add detach function Jeff King
2016-02-22 22:44 ` [PATCH v3 07/22] convert manual allocations to argv_array Jeff King
2016-02-22 22:44 ` [PATCH v3 08/22] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-22 22:44 ` [PATCH v3 09/22] use xmallocz to avoid size arithmetic Jeff King
2016-02-22 22:44 ` [PATCH v3 10/22] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-22 22:44 ` [PATCH v3 11/22] use st_add and st_mult for allocation size computation Jeff King
2016-02-22 22:44 ` [PATCH v3 12/22] prepare_{git,shell}_cmd: use argv_array Jeff King
2016-02-22 22:44 ` [PATCH v3 13/22] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-22 22:44 ` [PATCH v3 14/22] fast-import: simplify allocation in start_packfile Jeff King
2016-02-22 22:44 ` [PATCH v3 15/22] fetch-pack: simplify add_sought_entry Jeff King
2016-02-22 22:44 ` [PATCH v3 16/22] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-22 22:44 ` [PATCH v3 17/22] sequencer: simplify memory allocation of get_message Jeff King
2016-02-22 22:45 ` [PATCH v3 18/22] git-compat-util: drop mempcpy compat code Jeff King
2016-02-22 22:45 ` [PATCH v3 19/22] transport_anonymize_url: use xstrfmt Jeff King
2016-02-22 22:45 ` [PATCH v3 20/22] diff_populate_gitlink: use a strbuf Jeff King
2016-02-22 22:45 ` [PATCH v3 21/22] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-22 22:45 ` [PATCH v3 22/22] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-22 23:08 ` [PATCH v3 0/22] hardening allocations against integer overflow Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160216054637.GA28237@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).