Set up clang-tidy, fix some issues

3 files changed, 17 insertions, 6 deletions

diff --git a/.clang-tidy b/.clang-tidy
new file mode 100644
index 0000000..c3d8e19
--- /dev/null
+++ b/.clang-tidy
@@ -0,0 +1,2 @@
+Checks: '-clang-analyzer-security.insecureAPI.*'
+WarningsAsErrors: '*'
diff --git a/pom.c b/pom.c
index 792c039..5e98e4f 100644
--- a/pom.c
+++ b/pom.c
@@ -228,8 +228,8 @@ get_error_message(const pom_settings *settings, enum error_id id) {
 #else
 // fatal_error should only be called when the API is misused
 // (e.g. `NULL` argument that shouldn't be `NULL`).
-static void fatal_error(PRINTF_FORMAT_STRING const char *fmt, ...) ATTRIBUTE_PRINTF(1, 2);
-static void
+static _Noreturn void fatal_error(PRINTF_FORMAT_STRING const char *fmt, ...) ATTRIBUTE_PRINTF(1, 2);
+static _Noreturn void
 fatal_error(const char *fmt, ...) {
 	va_list args;
 	va_start(args, fmt);
@@ -249,6 +249,7 @@ make_error(const pom_settings *settings, const char *file, uint64_t line, enum e
 	va_copy(args_copy, args);
 	bool bad_fmt = false;
 	int len = vsnprintf(NULL, 0, fmt, args);
+	va_end(args);
 	if (len < 0 || (size_t)len > INT_MAX - sizeof(pom_error) - 1) {
 		// Could technically happen if %s gets a really long string.
 		// Just use fmt as the error in this case.
@@ -339,7 +340,7 @@ parser_realloc_(struct parser *parser, void *ptr, size_t elem_size, size_t *pcap
 	size_t capacity = *pcapacity;
 	if (new_capacity > capacity) {
 		// this check is overly strict to avoid arithmetic overflow.
-		if (new_capacity >= SIZE_MAX / 4 / elem_size) {
+		if (!elem_size || new_capacity >= SIZE_MAX / 4 / elem_size) {
 			parser_out_of_memory(parser);
 			return false;
 		}
@@ -418,13 +419,12 @@ parser_error(struct parser *parser, enum error_id id, ...) {
 		// could happen with a >INT_MAX-sized string, for example
 		bad_fmt = true;
 		error_len = strlen(fmt);
-		va_end(args_copy);
 	}
 	if (error_len > 1000)
 		error_len = 1000; // truncate very long errors
 	char *message = parser_append(parser, error_messages, error_len + 1);
 	if (!message) {
-		if (!bad_fmt) va_end(args_copy);
+		va_end(args_copy);
 		return;
 	}
 	uint32_t message_idx = message - parser->error_messages.array;
@@ -434,6 +434,7 @@ parser_error(struct parser *parser, enum error_id id, ...) {
 	} else {
 		vsnprintf(message, error_len + 1, fmt, args_copy);
 	}
+	va_end(args_copy);
 	struct parser_error *error = parser_append_one(parser, errors);
 	if (!error) return;
 	error->line = parser->line_number;
@@ -875,7 +876,7 @@ conf_free_list_append(struct main_conf *conf, struct to_free *mem) {
 
 static void *
 conf_calloc(struct main_conf *conf, size_t nmemb, size_t sz) {
-	if (nmemb > SIZE_MAX / (2*sz)) return NULL;
+	if (sz == 0 || nmemb > SIZE_MAX / (2*sz)) return NULL;
 	struct to_free *mem = pom_calloc(&conf->settings, 1, sizeof(struct to_free) + nmemb * sz);
 	if (!mem) return NULL;
 	conf_free_list_append(conf, mem);
diff --git a/pre-commit.sh b/pre-commit.sh
index bda1666..d566662 100755
--- a/pre-commit.sh
+++ b/pre-commit.sh
@@ -3,3 +3,11 @@
 # Ensure no doxygen errors
 which doxygen >/dev/null 2>/dev/null && { doxygen || exit 1; }
 
+make -j`nproc` test
+
+if [ "$NO_TIDY" = '' ] && \
+	which clang-tidy >/dev/null && \
+	git diff --name-status HEAD -- pom.c | grep -q 'M\s*pom.c'; then
+	echo 'Running clang-tidy...'
+	clang-tidy pom.c || exit 1
+fi