cid#1474353 experiment to silence Untrusted loop bound

the value *is* surely sanity checked here despite coverity's
bleating that it has passed through std::min unchanged when
it is the min value

Change-Id: Ic4f2b718832f88528f842280b4c0e04c4b3a9444
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113031
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 15 insertions, 3 deletions

diff --git a/include/o3tl/safeint.hxx b/include/o3tl/safeint.hxx
index 9df92ea1a9d1..71239d59c718 100644
--- a/include/o3tl/safeint.hxx
+++ b/include/o3tl/safeint.hxx
@@ -7,11 +7,11 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-#ifndef INCLUDED_O3TL_SAFEINT_HXX
-#define INCLUDED_O3TL_SAFEINT_HXX
+#pragma once
 
 #include <sal/config.h>
 
+#include <algorithm>
 #include <cassert>
 #include <limits>
 #include <type_traits>
@@ -239,8 +239,20 @@ make_unsigned(T value)
 // tools like -fsanitize=implicit-conversion should still be able to detect truncation:
 template<typename T1, typename T2> constexpr T1 narrowing(T2 value) { return value; }
 
-}
+// std::min wrapped to inform coverity that the result is now sanitized
+#if defined(__COVERITY__)
+extern "C" void __coverity_tainted_data_sanitize__(void *);
+#endif
 
+template<typename T> inline T sanitizing_min(T a, T b)
+{
+    T ret = std::min(a, b);
+#if defined(__COVERITY__)
+    __coverity_tainted_data_sanitize__(&ret);
 #endif
+    return ret;
+}
+
+}
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */