> static __inline int
> MULT_OVERFLOWS(int x, int y)
> {
> const intmax_t max = 1UL << sizeof(size_t) * 4;
>
> return ((x >= max || y >= max) && x > 0 && SIZE_MAX / x < y);
> }
>
> (or maybe a macro version) in some public header someplace,
> and associated assertions it where applicable.
The coding pattern currently chosen through a discussion by
Ted and myself is to convert:
l = n * s;
p = malloc(l, ...)
if (!p)
fail;
to either:
p = mallocarray(n, s, ...)
l = n * s;
if (!p)
fail;
or
p = mallocarray(n, s, ...)
if (!p)
fail;
l = n * s;
We think that is more clear than the addition of a add-on API
for integer overflow which people will avoid. The idea behind
mallocarray() is that it is in-your-face -- we want to develop
the mindset that any malloc() gets looked at from the perspective
of int overflow right in it's arguments.
