From: Jeff King <peff@peff.net>
To: "René Scharfe" <l.s.r@web.de>
Cc: Junio C Hamano <gitster@pobox.com>, Git List <git@vger.kernel.org>
Subject: Re: [PATCH 1/2] strbuf: use st_add3() in strbuf_grow()
Date: Fri, 15 May 2026 00:36:06 -0400 [thread overview]
Message-ID: <20260515043606.GA83595@coredump.intra.peff.net> (raw)
In-Reply-To: <0c3b4e94-b56c-4c92-a4d8-0e4364f1257b@web.de>
On Thu, May 14, 2026 at 10:13:19PM +0200, René Scharfe wrote:
> Hmm, alloc_nr() doesn't do any overflow checking. It should, though,
> shouldn't it?
Yes, probably. It's a known blind spot in the overflow checking, but
I think is OK in practice because:
1. We are growing an existing buffer by ~3/2. So even with ordering
the multiplication first, an overflow implies that you have a
single buffer consuming ~1/3 of your address space.
On 64-bit systems that's impractically large, and on 32-bit systems I
think you generally run into fragmentation and address-space issues
first.
2. If alloc_nr(alloc) is less than the desired nr, we just use that nr
directly. So even if we did overflow, I think the result is
too-slow allocation, and not a buffer overflow.
But it would be nice to be less hand-wavy. One of the reasons I hadn't
dug into it further is that I wanted to start making use of intrinsics
to avoid slowdowns. But since you're already doing that (and finding
that the compiler was doing the fast thing anyway!) it might be a good
time to make the jump.
That's all assuming that no overflow happens before ALLOC_GROW() gets
the values. We also tend to do unchecked computions for the "nr" field
there, but it's usually just "nr_foo + 1", so the same logic applies:
you'd have to have an existing array consuming the entire address space
minus one byte to trigger an overflow.
-Peff
next prev parent reply other threads:[~2026-05-15 4:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 15:11 [PATCH 1/2] strbuf: use st_add3() in strbuf_grow() René Scharfe
2026-05-14 15:13 ` [PATCH 2/2] use __builtin_add_overflow() in st_add() with Clang René Scharfe
2026-05-14 19:12 ` Junio C Hamano
2026-05-14 20:17 ` René Scharfe
2026-05-15 16:49 ` René Scharfe
2026-05-15 4:40 ` Jeff King
2026-05-15 14:36 ` René Scharfe
2026-05-15 16:53 ` Jeff King
2026-05-14 19:07 ` [PATCH 1/2] strbuf: use st_add3() in strbuf_grow() Junio C Hamano
2026-05-14 20:13 ` René Scharfe
2026-05-15 4:36 ` Jeff King [this message]
2026-05-15 14:30 ` René Scharfe
2026-05-15 16:50 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515043606.GA83595@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox