[PATCH 1/3] execute-tests: pacify compiler

[PATCH 1/3] execute-tests: pacify compiler

[Paul Eggert]

* tests/test-execute-main.c (main): Use 0x7DEADBEE rather than
0xDEADBEEF for nonces, to avoid provoking AIX XLC compiler warning
that the latter is out of int range.
---
 ChangeLog                 | 7 +++++++
 tests/test-execute-main.c | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d2ea4e509..3aaee32bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2021-04-21  Paul Eggert  <eggert@cs.ucla.edu>
+
+	execute-tests: pacify compiler
+	* tests/test-execute-main.c (main): Use 0x7DEADBEE rather than
+	0xDEADBEEF for nonces, to avoid provoking AIX XLC compiler warning
+	that the latter is out of int range.
+
 2021-04-20  Paul Eggert  <eggert@cs.ucla.edu>
 
 	malloc-gnu-tests, etc.: use volatile for clang
diff --git a/tests/test-execute-main.c b/tests/test-execute-main.c
index 944dcd1ee..a6a9fe406 100644
--- a/tests/test-execute-main.c
+++ b/tests/test-execute-main.c
@@ -132,7 +132,7 @@ main (int argc, char *argv[])
       {
         /* Check SIGPIPE handling with ignore_sigpipe = false.  */
         const char *prog_argv[3] = { prog_path, "3", NULL };
-        int termsig = 0xDEADBEEF;
+        int termsig = 0x7DEADBEE;
         int ret = execute (progname, prog_argv[0], prog_argv, NULL,
                            false, false, false, false, true, false, &termsig);
         ASSERT (ret == 127);
@@ -145,7 +145,7 @@ main (int argc, char *argv[])
       {
         /* Check SIGPIPE handling with ignore_sigpipe = true.  */
         const char *prog_argv[3] = { prog_path, "4", NULL };
-        int termsig = 0xDEADBEEF;
+        int termsig = 0x7DEADBEE;
         int ret = execute (progname, prog_argv[0], prog_argv, NULL,
                            true, false, false, false, true, false, &termsig);
         ASSERT (ret == 0);
@@ -157,7 +157,7 @@ main (int argc, char *argv[])
       {
         /* Check other signal.  */
         const char *prog_argv[3] = { prog_path, "5", NULL };
-        int termsig = 0xDEADBEEF;
+        int termsig = 0x7DEADBEE;
         int ret = execute (progname, prog_argv[0], prog_argv, NULL,
                            false, false, false, false, true, false, &termsig);
         ASSERT (ret == 127);
-- 
2.27.0

[PATCH 2/3] careadlinkat: avoid ptrdiff_t overflow

[Paul Eggert]

* lib/careadlinkat.c: Include idx.h, minmax.h.
(readlink_stk): Avoid ptrdiff_t overflow in object allocation.
Since this module uses arbitrary allocators (including
stdlib_allocator), it cannot assume GNU malloc semantics.
* modules/careadlinkat (Depends-on): Add idx, minmax.
---
 ChangeLog            |  7 +++++++
 lib/careadlinkat.c   | 28 +++++++++++-----------------
 modules/careadlinkat |  2 ++
 3 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3aaee32bf..1e6cbd07f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2021-04-21  Paul Eggert  <eggert@cs.ucla.edu>
 
+	careadlinkat: avoid ptrdiff_t overflow
+	* lib/careadlinkat.c: Include idx.h, minmax.h.
+	(readlink_stk): Avoid ptrdiff_t overflow in object allocation.
+	Since this module uses arbitrary allocators (including
+	stdlib_allocator), it cannot assume GNU malloc semantics.
+	* modules/careadlinkat (Depends-on): Add idx, minmax.
+
 	execute-tests: pacify compiler
 	* tests/test-execute-main.c (main): Use 0x7DEADBEE rather than
 	0xDEADBEEF for nonces, to avoid provoking AIX XLC compiler warning
diff --git a/lib/careadlinkat.c b/lib/careadlinkat.c
index 18cfc114b..d833a0bce 100644
--- a/lib/careadlinkat.c
+++ b/lib/careadlinkat.c
@@ -22,6 +22,9 @@
 
 #include "careadlinkat.h"
 
+#include "idx.h"
+#include "minmax.h"
+
 #include <errno.h>
 #include <limits.h>
 #include <string.h>
@@ -65,11 +68,6 @@ readlink_stk (int fd, char const *filename,
               ssize_t (*preadlinkat) (int, char const *, char *, size_t),
               char stack_buf[STACK_BUF_SIZE])
 {
-  char *buf;
-  size_t buf_size;
-  size_t buf_size_max =
-    SSIZE_MAX < SIZE_MAX ? (size_t) SSIZE_MAX + 1 : SIZE_MAX;
-
   if (! alloc)
     alloc = &stdlib_allocator;
 
@@ -79,14 +77,14 @@ readlink_stk (int fd, char const *filename,
       buffer_size = STACK_BUF_SIZE;
     }
 
-  buf = buffer;
-  buf_size = buffer_size;
+  char *buf = buffer;
+  idx_t buf_size_max = MIN (IDX_MAX, MIN (SSIZE_MAX, SIZE_MAX));
+  idx_t buf_size = MIN (buffer_size, buf_size_max);
 
   while (buf)
     {
       /* Attempt to read the link into the current buffer.  */
-      ssize_t link_length = preadlinkat (fd, filename, buf, buf_size);
-      size_t link_size;
+      idx_t link_length = preadlinkat (fd, filename, buf, buf_size);
       if (link_length < 0)
         {
           if (buf != buffer)
@@ -98,7 +96,7 @@ readlink_stk (int fd, char const *filename,
           return NULL;
         }
 
-      link_size = link_length;
+      idx_t link_size = link_length;
 
       if (link_size < buf_size)
         {
@@ -127,17 +125,13 @@ readlink_stk (int fd, char const *filename,
       if (buf != buffer)
         alloc->free (buf);
 
-      if (buf_size < buf_size_max / 2)
-        buf_size = 2 * buf_size + 1;
-      else if (buf_size < buf_size_max)
-        buf_size = buf_size_max;
-      else if (buf_size_max < SIZE_MAX)
+      if (buf_size_max / 2 <= buf_size)
         {
           errno = ENAMETOOLONG;
           return NULL;
         }
-      else
-        break;
+
+      buf_size = 2 * buf_size + 1;
       buf = alloc->allocate (buf_size);
     }
 
diff --git a/modules/careadlinkat b/modules/careadlinkat
index 3f49aaecd..b3375a9b2 100644
--- a/modules/careadlinkat
+++ b/modules/careadlinkat
@@ -7,6 +7,8 @@ lib/careadlinkat.h
 
 Depends-on:
 allocator
+idx
+minmax
 ssize_t
 unistd
 
-- 
2.27.0

[PATCH 3/3] malloca: avoid ptrdiff_t overflow

[Paul Eggert]

* lib/malloca.c: Include idx.h, intprops.h.
(mmalloca): Check for ptrdiff_t overflow.  Since this module uses
_GL_USE_STDLIB_ALLOC, it cannot assume GNU malloc semantics.
* modules/malloca (Depends-on): Add idx, intprops.
---
 ChangeLog       | 6 ++++++
 lib/malloca.c   | 8 +++++---
 modules/malloca | 2 ++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1e6cbd07f..e72362077 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2021-04-21  Paul Eggert  <eggert@cs.ucla.edu>
 
+	malloca: avoid ptrdiff_t overflow
+	* lib/malloca.c: Include idx.h, intprops.h.
+	(mmalloca): Check for ptrdiff_t overflow.  Since this module uses
+	_GL_USE_STDLIB_ALLOC, it cannot assume GNU malloc semantics.
+	* modules/malloca (Depends-on): Add idx, intprops.
+
 	careadlinkat: avoid ptrdiff_t overflow
 	* lib/careadlinkat.c: Include idx.h, minmax.h.
 	(readlink_stk): Avoid ptrdiff_t overflow in object allocation.
diff --git a/lib/malloca.c b/lib/malloca.c
index f4ee1563b..4077bf708 100644
--- a/lib/malloca.c
+++ b/lib/malloca.c
@@ -21,6 +21,8 @@
 /* Specification.  */
 #include "malloca.h"
 
+#include "idx.h"
+#include "intprops.h"
 #include "verify.h"
 
 /* The speed critical point in this file is freea() applied to an alloca()
@@ -45,9 +47,9 @@ mmalloca (size_t n)
 #if HAVE_ALLOCA
   /* Allocate one more word, used to determine the address to pass to freea(),
      and room for the alignment ≡ sa_alignment_max mod 2*sa_alignment_max.  */
-  size_t nplus = n + sizeof (small_t) + 2 * sa_alignment_max - 1;
-
-  if (nplus >= n)
+  int plus = sizeof (small_t) + 2 * sa_alignment_max - 1;
+  idx_t nplus;
+  if (!INT_ADD_WRAPV (n, plus, &nplus) && !xalloc_oversized (nplus, 1))
     {
       char *mem = (char *) malloc (nplus);
 
diff --git a/modules/malloca b/modules/malloca
index 9b7a3dbd2..346d33251 100644
--- a/modules/malloca
+++ b/modules/malloca
@@ -9,6 +9,8 @@ m4/eealloc.m4
 
 Depends-on:
 alloca-opt
+idx
+intprops
 stdint
 verify
 xalloc-oversized
-- 
2.27.0