Cast 64 bit off_t to 32 bit size_t
Some systems have sizeof(off_t) == 8 while sizeof(size_t) == 4.
This implies that we are able to access and work on files whose
maximum length is around 2^63-1 bytes, but we can only malloc or
mmap somewhat less than 2^32-1 bytes of memory.
On such a system an implicit conversion of off_t to size_t can cause
the size_t to wrap, resulting in unexpected and exciting behavior.
Right now we are working around all gcc warnings generated by the
-Wshorten-64-to-32 option by passing the off_t through xsize_t().
In the future we should make xsize_t on such problematic platforms
detect the wrapping and die if such a file is accessed.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>
diff --git a/refs.c b/refs.c
index 7a1f89c..76c08d0 100644
--- a/refs.c
+++ b/refs.c
@@ -1075,6 +1075,7 @@
unsigned long date;
unsigned char logged_sha1[20];
void *log_mapped;
+ size_t mapsz;
logfile = git_path("logs/%s", ref);
logfd = open(logfile, O_RDONLY, 0);
@@ -1083,7 +1084,8 @@
fstat(logfd, &st);
if (!st.st_size)
die("Log %s is empty.", logfile);
- log_mapped = xmmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, logfd, 0);
+ mapsz = xsize_t(st.st_size);
+ log_mapped = xmmap(NULL, mapsz, PROT_READ, MAP_PRIVATE, logfd, 0);
logdata = log_mapped;
close(logfd);
@@ -1136,7 +1138,7 @@
logfile, show_rfc2822_date(date, tz));
}
}
- munmap(log_mapped, st.st_size);
+ munmap(log_mapped, mapsz);
return 0;
}
lastrec = rec;
@@ -1155,7 +1157,7 @@
die("Log %s is corrupt.", logfile);
if (msg)
*msg = ref_msg(logdata, logend);
- munmap(log_mapped, st.st_size);
+ munmap(log_mapped, mapsz);
if (cutoff_time)
*cutoff_time = date;
