diff: check range before dereferencing an array element

Before accessing an array element at a given index, it should be
verified that the index is within the desired bounds, not afterwards,
otherwise it may not make sense to even access the array element in the
first place. This is the point of CodeQL's
`cpp/offset-use-before-range-check` rule.

This CodeQL rule unfortunately is also triggered by the
`fill_es_indent_data()` code, even though the condition `off < len - 1`
does not even need to guarantee that the offset is in bounds (`s` points
to a NUL-terminated string, for which `s[off] == '\r'` would fail before
running out of bounds).

Let's work around this rare false positive to help us use an otherwise
mostly useful tool is a worthy thing to do.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/diff.c b/diff.c
index c89c15d98e0e29b3441e4a328d8450b71eb5fe28..18ba3060460868e03119e09a320afa07d7b381bc 100644 (file)
--- a/diff.c
+++ b/diff.c
@@ -892,7 +892,7 @@ static void fill_es_indent_data(struct emitted_diff_symbol *es)
 
        /* skip any \v \f \r at start of indentation */
        while (s[off] == '\f' || s[off] == '\v' ||
-              (s[off] == '\r' && off < len - 1))
+              (off < len - 1 && s[off] == '\r'))
                off++;
 
        /* calculate the visual width of indentation */