The pointer p is dereferenced and we get an unsigned char. Before shifting it's automatically promoted to int. Left-shifting a signed 32-bit value bigger than 127 by 24 places is undefined. Explicitly convert to a 32-bit unsigned type to avoid undefined behaviour if the highest bit is set.
Found with Clang's UBSan. Signed-off-by: Rene Scharfe <[email protected]> --- compat/bswap.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/compat/bswap.h b/compat/bswap.h index d47c003544..4582c1107a 100644 --- a/compat/bswap.h +++ b/compat/bswap.h @@ -166,10 +166,10 @@ static inline uint64_t git_bswap64(uint64_t x) (*((unsigned char *)(p) + 0) << 8) | \ (*((unsigned char *)(p) + 1) << 0) ) #define get_be32(p) ( \ - (*((unsigned char *)(p) + 0) << 24) | \ - (*((unsigned char *)(p) + 1) << 16) | \ - (*((unsigned char *)(p) + 2) << 8) | \ - (*((unsigned char *)(p) + 3) << 0) ) + ((uint32_t)*((unsigned char *)(p) + 0) << 24) | \ + ((uint32_t)*((unsigned char *)(p) + 1) << 16) | \ + ((uint32_t)*((unsigned char *)(p) + 2) << 8) | \ + ((uint32_t)*((unsigned char *)(p) + 3) << 0) ) #define put_be32(p, v) do { \ unsigned int __v = (v); \ *((unsigned char *)(p) + 0) = __v >> 24; \ -- 2.13.3
