path: root/strbuf.c
diff options
authorJonathan Nieder <>2010-10-11 02:59:26 (GMT)
committerJunio C Hamano <>2011-02-10 21:47:56 (GMT)
commit1368f65002bf39fdde7dd736a75ae35475184371 (patch)
treecb0d57165c5b1f710bb5e6499fa322185a8deb2f /strbuf.c
parenta8e4a5943a63c8fd4a3a9b70ccf4608bcc973707 (diff)
compat: helper for detecting unsigned overflow
The idiom (a + b < a) works fine for detecting that an unsigned integer has overflowed, but a more explicit unsigned_add_overflows(a, b) might be easier to read. Define such a macro, expanding roughly to ((a) < UINT_MAX - (b)). Because the expansion uses each argument only once outside of sizeof() expressions, it is safe to use with arguments that have side effects. Signed-off-by: Jonathan Nieder <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'strbuf.c')
1 files changed, 3 insertions, 2 deletions
diff --git a/strbuf.c b/strbuf.c
index 9b3c445..07e8883 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -63,7 +63,8 @@ void strbuf_attach(struct strbuf *sb, void *buf, size_t len, size_t alloc)
void strbuf_grow(struct strbuf *sb, size_t extra)
- if (sb->len + extra + 1 <= sb->len)
+ if (unsigned_add_overflows(extra, 1) ||
+ unsigned_add_overflows(sb->len, extra + 1))
die("you want to use way too much memory");
if (!sb->alloc)
sb->buf = NULL;
@@ -152,7 +153,7 @@ int strbuf_cmp(const struct strbuf *a, const struct strbuf *b)
void strbuf_splice(struct strbuf *sb, size_t pos, size_t len,
const void *data, size_t dlen)
- if (pos + len < pos)
+ if (unsigned_add_overflows(pos, len))
die("you want to use way too much memory");
if (pos > sb->len)
die("`pos' is too far after the end of the buffer");