1 files changed, 26 insertions, 0 deletions

diff --git a/src/libexpr/gc-alloc.hh b/src/libexpr/gc-alloc.hh
index f691bfc4b..04ac28ea8 100644
--- a/src/libexpr/gc-alloc.hh
+++ b/src/libexpr/gc-alloc.hh
@@ -18,6 +18,8 @@
 #include <gc/gc_allocator.h>
 #include <gc/gc_cpp.h>
 
+#include "checked-arithmetic.hh"
+
 /// calloc, transparently GC-enabled.
 #define LIX_GC_CALLOC(size) GC_MALLOC(size)
 
@@ -104,6 +106,30 @@ inline void * gcAllocBytes(size_t n)
     return ptr;
 }
 
+/// Typed, safe wrapper around calloc() (transparently GC-enabled). Allocates
+/// enough for the requested count of the specified type. Also checks for
+/// nullptr (and throws @ref std::bad_alloc), and casts the void pointer to
+/// a pointer of the specified type, for type-convenient goodness.
+template<typename T>
+[[gnu::always_inline]]
+inline T * gcAllocType(size_t howMany = 1)
+{
+    // NOTE: size_t * size_t, which can definitely overflow.
+    // Unsigned integer overflow is definitely a bug, but isn't undefined
+    // behavior, so we can just check if we overflowed after the fact.
+    // However, people can and do request zero sized allocations, so we need
+    // to check that neither of our multiplicands were zero before complaining
+    // about it.
+    auto checkedSz = checked::Checked<size_t>(howMany) * sizeof(T);
+    size_t sz = checkedSz.valueWrapping();
+    if (checkedSz.overflowed()) {
+        // Congrats, you done did an overflow.
+        throw std::bad_alloc();
+    }
+
+    return static_cast<T *>(gcAllocBytes(sz));
+}
+
 /// GC-transparently allocates a buffer for a C-string of @ref size *bytes*,
 /// meaning you should include the size needed by the NUL terminator in the
 /// passed size. Memory allocated with this function must never contain other