commit 50a6c8efa2bbeddf46ca34c7765024108202e04b
author Jeff King <peff@peff.net> Mon Feb 22 17:44:35 2016 -0500
committer Junio C Hamano <gitster@pobox.com> Mon Feb 22 14:51:09 2016 -0800
tree 0c189695ed6ad8349527cb03d326ef3fb39707cf
parent 96ffc06f72f693d80f05059a1f0e5ca9007d5f1b

use st_add and st_mult for allocation size computation

If our size computation overflows size_t, we may allocate a
much smaller buffer than we expected and overflow it. It's
probably impossible to trigger an overflow in most of these
sites in practice, but it is easy enough convert their
additions and multiplications into overflow-checking
variants. This may be fixing real bugs, and it makes
auditing the code easier.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

remote.c

diff --git a/remote.c b/remote.c
index 7a8a8a1..f182382 100644
--- a/remote.c
+++ b/remote.c
@@ -928,7 +928,7 @@
 		const char *name)
 {
 	size_t len = strlen(name);
-	struct ref *ref = xcalloc(1, sizeof(struct ref) + prefixlen + len + 1);
+	struct ref *ref = xcalloc(1, st_add4(sizeof(*ref), prefixlen, len, 1));
 	memcpy(ref->name, prefix, prefixlen);
 	memcpy(ref->name + prefixlen, name, len);
 	return ref;
@@ -945,9 +945,9 @@
 	size_t len;
 	if (!ref)
 		return NULL;
-	len = strlen(ref->name);
-	cpy = xmalloc(sizeof(struct ref) + len + 1);
-	memcpy(cpy, ref, sizeof(struct ref) + len + 1);
+	len = st_add3(sizeof(struct ref), strlen(ref->name), 1);
+	cpy = xmalloc(len);
+	memcpy(cpy, ref, len);
 	cpy->next = NULL;
 	cpy->symref = xstrdup_or_null(ref->symref);
 	cpy->remote_status = xstrdup_or_null(ref->remote_status);