--- git-1.6.2.4/strbuf.c.bak 2009-04-21 00:18:45.205705155 +0300 +++ git-1.6.2.4/strbuf.c 2009-04-21 00:24:52.656702856 +0300 @@ -99,7 +99,7 @@ void strbuf_tolower(struct strbuf *sb) struct strbuf **strbuf_split(const struct strbuf *sb, int delim) { - int alloc = 2, pos = 0; + size_t alloc = 2, pos = 0; char *n, *p; struct strbuf **ret; struct strbuf *t; @@ -107,10 +107,12 @@ struct strbuf **strbuf_split(const struc ret = xcalloc(alloc, sizeof(struct strbuf *)); p = n = sb->buf; while (n < sb->buf + sb->len) { - int len; + size_t len; n = memchr(n, delim, sb->len - (n - sb->buf)); - if (pos + 1 >= alloc) { + if (pos >= alloc - 1) { + if (alloc > SIZE_MAX / 2) die("Integer overflow in strbuf_split"); alloc = alloc * 2; + if (alloc > SIZE_MAX / sizeof(struct strbuf *)) die("Integer overflow in strbuf_split"); ret = xrealloc(ret, sizeof(struct strbuf *) * alloc); } if (!n)