commit-graph.c: prevent overflow in `split_graph_merge_strategy()`

In a similar spirit as previous commits, ensure that we don't overflow
when choosing how to split and merge different layers of the
commit-graph.

In particular, avoid a potential overflow between `size_mult` and
`num_commits`, as well as a potential overflow between the number of
commits currently in the merged graph, and the number of commits in the
graph about to be merged.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/commit-graph.c b/commit-graph.c
index 08d773567f362061d8f88d07dd424e4bca719d97..d9795e3aa43fabcef5122437780ffb3837e639ac 100644 (file)
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -2112,11 +2112,16 @@ static void split_graph_merge_strategy(struct write_commit_graph_context *ctx)
 
        if (flags != COMMIT_GRAPH_SPLIT_MERGE_PROHIBITED &&
            flags != COMMIT_GRAPH_SPLIT_REPLACE) {
-               while (g && (g->num_commits <= size_mult * num_commits ||
+               while (g && (g->num_commits <= st_mult(size_mult, num_commits) ||
                            (max_commits && num_commits > max_commits))) {
                        if (g->odb != ctx->odb)
                                break;
 
+                       if (unsigned_add_overflows(num_commits, g->num_commits))
+                               die(_("cannot merge graphs with %"PRIuMAX", "
+                                     "%"PRIuMAX" commits"),
+                                   (uintmax_t)num_commits,
+                                   (uintmax_t)g->num_commits);
                        num_commits += g->num_commits;
                        g = g->base_graph;