nodegit
diff --git a/‎src/array.h‎
Lines changed: 20 additions & 7 deletions b/‎src/array.h‎
Lines changed: 20 additions & 7 deletions
diff --git a/‎src/blame.c‎
Lines changed: 26 additions & 2 deletions b/‎src/blame.c‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎src/blame_git.c‎
Lines changed: 6 additions & 2 deletions b/‎src/blame_git.c‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎src/buf_text.c‎
Lines changed: 11 additions & 1 deletion b/‎src/buf_text.c‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎src/buffer.c‎
Lines changed: 57 additions & 5 deletions b/‎src/buffer.c‎
Lines changed: 57 additions & 5 deletions
diff --git a/‎src/common.h‎
Lines changed: 22 additions & 0 deletions b/‎src/common.h‎
Lines changed: 22 additions & 0 deletions
@@ -45,15 +45,28 @@ typedef git_array_t(char) git_array_generic_t;
 GIT_INLINE(void *) git_array_grow(void *_a, size_t item_size)
 {
 	volatile git_array_generic_t *a = _a;
-	uint32_t new_size = (a->size < 8) ? 8 : a->asize * 3 / 2;
-	char *new_array = git__realloc(a->ptr, new_size * item_size);
-	if (!new_array) {
-		git_array_clear(*a);
-		return NULL;
+	uint32_t new_size;
+	char *new_array;
+
+	if (a->size < 8) {
+		new_size = 8;
 	} else {
-		a->ptr = new_array; a->asize = new_size; a->size++;
-		return a->ptr + (a->size - 1) * item_size;
+		if (GIT_ALLOC_OVERFLOW_MULTIPLY(a->size, 3 / 2))
+			goto on_oom;
+
+		new_size = a->size * 3 / 2;
 	}
+
+	if (GIT_ALLOC_OVERFLOW_MULTIPLY(new_size, item_size) ||
+		(new_array = git__realloc(a->ptr, new_size * item_size)) == NULL)
+		goto on_oom;
+
+	a->ptr = new_array; a->asize = new_size; a->size++;
+	return a->ptr + (a->size - 1) * item_size;
+
+on_oom:
+	git_array_clear(*a);
+	return NULL;
 }
 
 #define git_array_alloc(a) \
 
@@ -76,6 +76,10 @@ static git_blame_hunk* dup_hunk(git_blame_hunk *hunk)
 			hunk->lines_in_hunk,
 			hunk->orig_start_line_number,
 			hunk->orig_path);
+
+	if (!newhunk)
+		return NULL;
+
 	git_oid_cpy(&newhunk->orig_commit_id, &hunk->orig_commit_id);
 	git_oid_cpy(&newhunk->final_commit_id, &hunk->final_commit_id);
 	newhunk->boundary = hunk->boundary;
@@ -221,6 +225,10 @@ static git_blame_hunk *split_hunk_in_vector(
 	new_line_count = hunk->lines_in_hunk - rel_line;
 	nh = new_hunk((uint16_t)(hunk->final_start_line_number+rel_line), (uint16_t)new_line_count,
 			(uint16_t)(hunk->orig_start_line_number+rel_line), hunk->orig_path);
+
+	if (!nh)
+		return NULL;
+
 	git_oid_cpy(&nh->final_commit_id, &hunk->final_commit_id);
 	git_oid_cpy(&nh->orig_commit_id, &hunk->orig_commit_id);
 
@@ -270,6 +278,10 @@ static git_blame_hunk* hunk_from_entry(git_blame__entry *e)
 {
 	git_blame_hunk *h = new_hunk(
 			e->lno+1, e->num_lines, e->s_lno+1, e->suspect->path);
+
+	if (!h)
+		return NULL;
+
 	git_oid_cpy(&h->final_commit_id, git_commit_id(e->suspect->commit));
 	git_oid_cpy(&h->orig_commit_id, git_commit_id(e->suspect->commit));
 	git_signature_dup(&h->final_signature, git_commit_author(e->suspect->commit));
@@ -307,6 +319,8 @@ static int blame_internal(git_blame *blame)
 	blame->final_buf_size = git_blob_rawsize(blame->final_blob);
 
 	ent = git__calloc(1, sizeof(git_blame__entry));
+	GITERR_CHECK_ALLOC(ent);
+
 	ent->num_lines = index_blob_lines(blame);
 	ent->lno = blame->options.min_line - 1;
 	ent->num_lines = ent->num_lines - blame->options.min_line + 1;
@@ -322,8 +336,9 @@ static int blame_internal(git_blame *blame)
 cleanup:
 	for (ent = blame->ent; ent; ) {
 		git_blame__entry *e = ent->next;
+		git_blame_hunk *h = hunk_from_entry(ent);
 
-		git_vector_insert(&blame->hunks, hunk_from_entry(ent));
+		git_vector_insert(&blame->hunks, h);
 
 		git_blame__free_entry(ent);
 		ent = e;
@@ -392,11 +407,14 @@ static int buffer_hunk_cb(
 	if (!blame->current_hunk) {
 		/* Line added at the end of the file */
 		blame->current_hunk = new_hunk(wedge_line, 0, wedge_line, blame->path);
+		GITERR_CHECK_ALLOC(blame->current_hunk);
+
 		git_vector_insert(&blame->hunks, blame->current_hunk);
 	} else if (!hunk_starts_at_or_after_line(blame->current_hunk, wedge_line)){
 		/* If this hunk doesn't start between existing hunks, split a hunk up so it does */
 		blame->current_hunk = split_hunk_in_vector(&blame->hunks, blame->current_hunk,
 				wedge_line - blame->current_hunk->orig_start_line_number, true);
+		GITERR_CHECK_ALLOC(blame->current_hunk);
 	}
 
 	return 0;
@@ -425,6 +443,8 @@ static int buffer_line_cb(
 			/* Create a new buffer-blame hunk with this line */
 			shift_hunks_by(&blame->hunks, blame->current_diff_line, 1);
 			blame->current_hunk = new_hunk((uint16_t)blame->current_diff_line, 1, 0, blame->path);
+			GITERR_CHECK_ALLOC(blame->current_hunk);
+
 			git_vector_insert_sorted(&blame->hunks, blame->current_hunk, NULL);
 		}
 		blame->current_diff_line++;
@@ -464,10 +484,14 @@ int git_blame_buffer(
 	assert(out && reference && buffer && buffer_len);
 
 	blame = git_blame__alloc(reference->repository, reference->options, reference->path);
+	GITERR_CHECK_ALLOC(blame);
 
 	/* Duplicate all of the hunk structures in the reference blame */
 	git_vector_foreach(&reference->hunks, i, hunk) {
-		git_vector_insert(&blame->hunks, dup_hunk(hunk));
+		git_blame_hunk *h = dup_hunk(hunk);
+		GITERR_CHECK_ALLOC(h);
+
+		git_vector_insert(&blame->hunks, h);
 	}
 
 	/* Diff to the reference blob */
 
@@ -35,10 +35,14 @@ static void origin_decref(git_blame__origin *o)
 /* Given a commit and a path in it, create a new origin structure. */
 static int make_origin(git_blame__origin **out, git_commit *commit, const char *path)
 {
-	int error = 0;
 	git_blame__origin *o;
+	size_t path_len = strlen(path);
+	int error = 0;
+
+	GITERR_CHECK_ALLOC_ADD(sizeof(*o), path_len);
+	GITERR_CHECK_ALLOC_ADD(sizeof(*o) + path_len, 1);
 
-	o = git__calloc(1, sizeof(*o) + strlen(path) + 1);
+	o = git__calloc(1, sizeof(*o) + path_len + 1);
 	GITERR_CHECK_ALLOC(o);
 	o->commit = commit;
 	o->refcnt = 1;
 
@@ -29,6 +29,8 @@ int git_buf_text_puts_escaped(
 		scan += count;
 	}
 
+	GITERR_CHECK_ALLOC_ADD(buf->size, total);
+	GITERR_CHECK_ALLOC_ADD(buf->size + total, 1);
 	if (git_buf_grow(buf, buf->size + total + 1) < 0)
 		return -1;
 
@@ -73,8 +75,10 @@ int git_buf_text_crlf_to_lf(git_buf *tgt, const git_buf *src)
 		return git_buf_set(tgt, src->ptr, src->size);
 
 	/* reduce reallocs while in the loop */
+	GITERR_CHECK_ALLOC_ADD(src->size, 1);
 	if (git_buf_grow(tgt, src->size + 1) < 0)
 		return -1;
+
 	out = tgt->ptr;
 	tgt->size = 0;
 
@@ -117,20 +121,26 @@ int git_buf_text_lf_to_crlf(git_buf *tgt, const git_buf *src)
 		return git_buf_set(tgt, src->ptr, src->size);
 
 	/* attempt to reduce reallocs while in the loop */
+	GITERR_CHECK_ALLOC_ADD(src->size, src->size >> 4);
+	GITERR_CHECK_ALLOC_ADD(src->size + (src->size >> 4), 1);
 	if (git_buf_grow(tgt, src->size + (src->size >> 4) + 1) < 0)
 		return -1;
 	tgt->size = 0;
 
 	for (; next; scan = next + 1, next = memchr(scan, '\n', end - scan)) {
 		size_t copylen = next - scan;
-		size_t needsize = tgt->size + copylen + 2 + 1;
+		size_t needsize;
 
 		/* if we find mixed line endings, bail */
 		if (next > start && next[-1] == '\r') {
 			git_buf_free(tgt);
 			return GIT_PASSTHROUGH;
 		}
 
+		GITERR_CHECK_ALLOC_ADD(tgt->size, copylen);
+		GITERR_CHECK_ALLOC_ADD(tgt->size + copylen, 3);
+		needsize = tgt->size + copylen + 3;
+
 		if (tgt->asize < needsize && git_buf_grow(tgt, needsize) < 0)
 			return -1;
 
 
@@ -63,6 +63,14 @@ int git_buf_try_grow(
 	/* round allocation up to multiple of 8 */
 	new_size = (new_size + 7) & ~7;
 
+	if (new_size < buf->size) {
+		if (mark_oom)
+			buf->ptr = git_buf__oom;
+
+		giterr_set_oom();
+		return -1;
+	}
+
 	new_ptr = git__realloc(new_ptr, new_size);
 
 	if (!new_ptr) {
@@ -131,6 +139,7 @@ int git_buf_set(git_buf *buf, const void *data, size_t len)
 		git_buf_clear(buf);
 	} else {
 		if (data != buf->ptr) {
+			GITERR_CHECK_ALLOC_ADD(len, 1);
 			ENSURE_SIZE(buf, len + 1);
 			memmove(buf->ptr, data, len);
 		}
@@ -160,6 +169,7 @@ int git_buf_sets(git_buf *buf, const char *string)
 
 int git_buf_putc(git_buf *buf, char c)
 {
+	GITERR_CHECK_ALLOC_ADD(buf->size, 2);
 	ENSURE_SIZE(buf, buf->size + 2);
 	buf->ptr[buf->size++] = c;
 	buf->ptr[buf->size] = '\0';
@@ -168,6 +178,8 @@ int git_buf_putc(git_buf *buf, char c)
 
 int git_buf_putcn(git_buf *buf, char c, size_t len)
 {
+	GITERR_CHECK_ALLOC_ADD(buf->size, len);
+	GITERR_CHECK_ALLOC_ADD(buf->size + len, 1);
 	ENSURE_SIZE(buf, buf->size + len + 1);
 	memset(buf->ptr + buf->size, c, len);
 	buf->size += len;
@@ -179,6 +191,8 @@ int git_buf_put(git_buf *buf, const char *data, size_t len)
 {
 	if (len) {
 		assert(data);
+		GITERR_CHECK_ALLOC_ADD(buf->size, len);
+		GITERR_CHECK_ALLOC_ADD(buf->size + len, 1);
 		ENSURE_SIZE(buf, buf->size + len + 1);
 		memmove(buf->ptr + buf->size, data, len);
 		buf->size += len;
@@ -201,8 +215,12 @@ int git_buf_encode_base64(git_buf *buf, const char *data, size_t len)
 	size_t extra = len % 3;
 	uint8_t *write, a, b, c;
 	const uint8_t *read = (const uint8_t *)data;
+	size_t blocks = (len / 3) + !!extra;
 
-	ENSURE_SIZE(buf, buf->size + 4 * ((len / 3) + !!extra) + 1);
+	GITERR_CHECK_ALLOC_MULTIPLY(blocks, 4);
+	GITERR_CHECK_ALLOC_ADD(buf->size, 4 * blocks);
+	GITERR_CHECK_ALLOC_ADD(buf->size + 4 * blocks, 1);
+	ENSURE_SIZE(buf, buf->size + 4 * blocks + 1);
 	write = (uint8_t *)&buf->ptr[buf->size];
 
 	/* convert each run of 3 bytes into 4 output bytes */
@@ -256,6 +274,8 @@ int git_buf_decode_base64(git_buf *buf, const char *base64, size_t len)
 	size_t orig_size = buf->size;
 
 	assert(len % 4 == 0);
+	GITERR_CHECK_ALLOC_ADD(buf->size, len / 4 * 3);
+	GITERR_CHECK_ALLOC_ADD(buf->size + (len / 4 * 3), 1);
 	ENSURE_SIZE(buf, buf->size + (len / 4 * 3) + 1);
 
 	for (i = 0; i < len; i += 4) {
@@ -284,7 +304,12 @@ static const char b85str[] =
 
 int git_buf_encode_base85(git_buf *buf, const char *data, size_t len)
 {
-	ENSURE_SIZE(buf, buf->size + (5 * ((len / 4) + !!(len % 4))) + 1);
+	size_t blocks = (len / 4) + !!(len % 4);
+
+	GITERR_CHECK_ALLOC_MULTIPLY(blocks, 5);
+	GITERR_CHECK_ALLOC_ADD(buf->size, 5 * blocks);
+	GITERR_CHECK_ALLOC_ADD(buf->size + 5 * blocks, 1);
+	ENSURE_SIZE(buf, buf->size + blocks * 5 + 1);
 
 	while (len) {
 		uint32_t acc = 0;
@@ -317,8 +342,14 @@ int git_buf_encode_base85(git_buf *buf, const char *data, size_t len)
 
 int git_buf_vprintf(git_buf *buf, const char *format, va_list ap)
 {
+	size_t expected_size = strlen(format);
 	int len;
-	const size_t expected_size = buf->size + (strlen(format) * 2);
+
+	GITERR_CHECK_ALLOC_MULTIPLY(expected_size, 2);
+	expected_size *= 2;
+
+	GITERR_CHECK_ALLOC_ADD(expected_size, buf->size);
+	expected_size += buf->size;
 
 	ENSURE_SIZE(buf, expected_size);
 
@@ -345,6 +376,8 @@ int git_buf_vprintf(git_buf *buf, const char *format, va_list ap)
 			break;
 		}
 
+		GITERR_CHECK_ALLOC_ADD(buf->size, len);
+		GITERR_CHECK_ALLOC_ADD(buf->size + len, 1);
 		ENSURE_SIZE(buf, buf->size + len + 1);
 	}
 
@@ -481,6 +514,9 @@ int git_buf_join_n(git_buf *buf, char separator, int nbuf, ...)
 	/* expand buffer if needed */
 	if (total_size == 0)
 		return 0;
+
+	GITERR_CHECK_ALLOC_ADD(buf->size, total_size);
+	GITERR_CHECK_ALLOC_ADD(buf->size + total_size, 1);
 	if (git_buf_grow(buf, buf->size + total_size + 1) < 0)
 		return -1;
 
@@ -559,6 +595,9 @@ int git_buf_join(
 	if (str_a >= buf->ptr && str_a < buf->ptr + buf->size)
 		offset_a = str_a - buf->ptr;
 
+	GITERR_CHECK_ALLOC_ADD(strlen_a, strlen_b);
+	GITERR_CHECK_ALLOC_ADD(strlen_a + strlen_b, need_sep);
+	GITERR_CHECK_ALLOC_ADD(strlen_a + strlen_b + need_sep, 1);
 	if (git_buf_grow(buf, strlen_a + strlen_b + need_sep + 1) < 0)
 		return -1;
 	assert(buf->ptr);
@@ -607,6 +646,11 @@ int git_buf_join3(
 			sep_b = (str_b[len_b - 1] != separator);
 	}
 
+	GITERR_CHECK_ALLOC_ADD(len_a, sep_a);
+	GITERR_CHECK_ALLOC_ADD(len_a + sep_a, len_b);
+	GITERR_CHECK_ALLOC_ADD(len_a + sep_a + len_b, sep_b);
+	GITERR_CHECK_ALLOC_ADD(len_a + sep_a + len_b + sep_b, len_c);
+	GITERR_CHECK_ALLOC_ADD(len_a + sep_a + len_b + sep_b + len_c, 1);
 	if (git_buf_grow(buf, len_a + sep_a + len_b + sep_b + len_c + 1) < 0)
 		return -1;
 
@@ -660,22 +704,30 @@ int git_buf_splice(
 	const char *data,
 	size_t nb_to_insert)
 {
+	size_t new_size;
+
 	assert(buf &&
 		where <= git_buf_len(buf) &&
 		where + nb_to_remove <= git_buf_len(buf));
 
 	/* Ported from git.git
 	 * https://github.com/git/git/blob/16eed7c/strbuf.c#L159-176
 	 */
-	ENSURE_SIZE(buf, buf->size + nb_to_insert - nb_to_insert + 1);
+	new_size = buf->size - nb_to_remove;
+
+	GITERR_CHECK_ALLOC_ADD(new_size, nb_to_insert);
+	new_size += nb_to_insert;
+
+	GITERR_CHECK_ALLOC_ADD(new_size, 1);
+	ENSURE_SIZE(buf, new_size + 1);
 
 	memmove(buf->ptr + where + nb_to_insert,
 			buf->ptr + where + nb_to_remove,
 			buf->size - where - nb_to_remove);
 
 	memcpy(buf->ptr + where, data, nb_to_insert);
 
-	buf->size = buf->size + nb_to_insert - nb_to_remove;
+	buf->size = new_size;
 	buf->ptr[buf->size] = '\0';
 	return 0;
 }
@@ -174,6 +174,28 @@ GIT_INLINE(void) git__init_structure(void *structure, size_t len, unsigned int v
 	GITERR_CHECK_VERSION(&(VERSION), _tmpl.version, #TYPE);	\
 	memcpy((PTR), &_tmpl, sizeof(_tmpl)); } while (0)
 
+/** Check for integer overflow from addition or multiplication */
+#define GIT_ALLOC_OVERFLOW_ADD(one, two) \
+	((one) + (two) < (one))
+
+/** Check for integer overflow from multiplication */
+#define GIT_ALLOC_OVERFLOW_MULTIPLY(one, two) \
+	(one && ((one) * (two)) / (one) != (two))
+
+/** Check for additive overflow, failing if it would occur. */
+#define GITERR_CHECK_ALLOC_ADD(one, two) \
+	if (GIT_ALLOC_OVERFLOW_ADD(one, two)) { \
+		giterr_set_oom(); \
+		return -1; \
+	}
+
+/** Check for multiplicative overflow, failing if it would occur. */
+#define GITERR_CHECK_ALLOC_MULTIPLY(nelem, elsize) \
+	if (GIT_ALLOC_OVERFLOW_MULTIPLY(nelem, elsize)) { \
+		giterr_set_oom(); \
+		return -1; \
+	}
+
 /* NOTE: other giterr functions are in the public errors.h header file */
 
 #include "util.h"