limits-util: use MUL_SAFE for physical memory calculation

Coverity flags (uint64_t)sc * (uint64_t)ps as a potential overflow.
Use MUL_SAFE which Coverity understands via __builtin_mul_overflow.
Physical page count times page size cannot realistically overflow
uint64_t, but this makes it provable to static analyzers.

CID#1548042

Follow-up for 09bb6448ae221c09a00d1f4a9b45ce8535003319

diff --git a/src/basic/limits-util.c b/src/basic/limits-util.c
index 02fbe92cc771276c387a5773524ebcb251b44f15..732d0c6a6f44b61d961e475c5d0a85d92153d23e 100644 (file)
--- a/src/basic/limits-util.c
+++ b/src/basic/limits-util.c
@@ -28,9 +28,9 @@ uint64_t physical_memory(void) {
         assert(sc > 0);
 
         ps = page_size();
-        /* Silence static analyzers */
-        assert((uint64_t) sc <= UINT64_MAX / (uint64_t) ps);
-        mem = (uint64_t) sc * (uint64_t) ps;
+        /* Physical page count times page size cannot realistically overflow uint64_t,
+         * but use MUL_SAFE to make this obvious to static analyzers. */
+        assert_se(MUL_SAFE(&mem, (uint64_t) sc, (uint64_t) ps));
 
         r = cg_get_root_path(&root);
         if (r < 0) {