Cast 64 bit off_t to 32 bit size_t

Some systems have sizeof(off_t) == 8 while sizeof(size_t) == 4.
This implies that we are able to access and work on files whose
maximum length is around 2^63-1 bytes, but we can only malloc or
mmap somewhat less than 2^32-1 bytes of memory.

On such a system an implicit conversion of off_t to size_t can cause
the size_t to wrap, resulting in unexpected and exciting behavior.
Right now we are working around all gcc warnings generated by the
-Wshorten-64-to-32 option by passing the off_t through xsize_t().

In the future we should make xsize_t on such problematic platforms
detect the wrapping and die if such a file is accessed.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <junkio@cox.net>

1 files changed, 5 insertions, 3 deletions

diff --git a/xdiff-interface.c b/xdiff-interface.c
index 6c1f99b149..10816e95a0 100644
--- a/xdiff-interface.c
+++ b/xdiff-interface.c
@@ -107,16 +107,18 @@ int read_mmfile(mmfile_t *ptr, const char *filename)
 {
 	struct stat st;
 	FILE *f;
+	size_t sz;
 
 	if (stat(filename, &st))
 		return error("Could not stat %s", filename);
 	if ((f = fopen(filename, "rb")) == NULL)
 		return error("Could not open %s", filename);
-	ptr->ptr = xmalloc(st.st_size);
-	if (fread(ptr->ptr, st.st_size, 1, f) != 1)
+	sz = xsize_t(st.st_size);
+	ptr->ptr = xmalloc(sz);
+	if (fread(ptr->ptr, sz, 1, f) != 1)
 		return error("Could not read %s", filename);
 	fclose(f);
-	ptr->size = st.st_size;
+	ptr->size = sz;
 	return 0;
 }