From b05f7f54e4fe5c0d67128aaafa74f2a04b74752b Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 22 Aug 2021 13:54:04 -0700
Subject: diff: add integer overflow checking

* src/diff.c (option_list, main): Check for integer overflow
in some unlikely and hard-to-test cases.
---
 src/diff.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/diff.c b/src/diff.c
index 36cc76a..a4e5538 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -245,7 +245,11 @@ option_list (char **optionvec, int count)
   char *p;
 
   for (i = 0; i < count; i++)
-    size += 1 + shell_quote_length (optionvec[i]);
+    {
+      size_t optsize = 1 + shell_quote_length (optionvec[i]);
+      if (INT_ADD_WRAPV (optsize, size, &size))
+	xalloc_die ();
+    }
 
   p = result = xmalloc (size);
 
@@ -402,8 +406,13 @@ main (int argc, char **argv)
 		 "%>"
 		 "#endif /* @ */\n");
 
-	    char *b = xmalloc (sizeof C_ifdef_group_formats
-			       + 7 * strlen (optarg) - 7 /* 7*"@" */);
+	    size_t alloc = strlen (optarg);
+	    if (INT_MULTIPLY_WRAPV (alloc, 7, &alloc)
+		|| INT_ADD_WRAPV (alloc,
+				  sizeof C_ifdef_group_formats - 7 /* 7*"@" */,
+				  &alloc))
+	      xalloc_die ();
+	    char *b = xmalloc (alloc);
 	    char *base = b;
 	    int changes = 0;
 
-- 
cgit v1.2.1