read-cache: check range before dereferencing an array element

Before accessing an array element at a given index, we should make sure
that the index is within the desired bounds, otherwise it makes little
sense to access the array element in the first place.

In this instance, testing whether `ce->name[common]` is the trailing NUL
byte is technically different from testing whether `common` is within
the bounds of `previous_name`. It is also redundant, as the range-check
guarantees that `previous_name->buf[common]` cannot be NUL and therefore
the condition `ce->name[common] == previous_name->buf[common]` would not
be met if `ce->name[common]` evaluated to NUL.

However, in the interest of reducing the cognitive load to reason about
the correctness of this loop (so that I can focus on interesting
projects again), I'll simply move the range-check to the beginning of
the loop condition and keep the redundant NUL check.

This acquiesces CodeQL's `cpp/offset-use-before-range-check` rule.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Acked-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/read-cache.c b/read-cache.c
index e678c13e8f15e2fd7215f74a9ced20ad1839270f..08ae66ad609deb12a460e19a4848cf6f7db776f2 100644 (file)
--- a/read-cache.c
+++ b/read-cache.c
@@ -2686,8 +2686,8 @@ static int ce_write_entry(struct hashfile *f, struct cache_entry *ce,
                int common, to_remove, prefix_size;
                unsigned char to_remove_vi[16];
                for (common = 0;
-                    (ce->name[common] &&
-                     common < previous_name->len &&
+                    (common < previous_name->len &&
+                     ce->name[common] &&
                      ce->name[common] == previous_name->buf[common]);
                     common++)
                        ; /* still matching */