Slobodan Predolac dfb276f035 Speculative fix for Veracode integer overflow/underflow in sz.h ... Veracode flags CWE-190/191 on the `size + mask` round-ups in sz_s2u_compute_using_delta, sz_s2u_compute and sz_sa2u. We believe these are false positives: the arithmetic is unsigned size_t (overflow is well-defined in C, not UB), `size` is already bounded by the SC_LARGE_MAXCLASS guard, and the masks are tiny, so the additions cannot actually overflow. CodeQL's security-extended suite (CWE-190/191) does not flag these. Its uncontrolled-arithmetic query only reports *signed* overflow ("unsigned overflow is well-defined"), and its tainted-arithmetic query credits the existing upper-bound guard. Veracode instead treats the public-API size/alignment as tainted and ignores guards placed above the expression, so piling on more pre-checks does not satisfy it. Effect on the malloc/free hot path is zero instructions as verified with clang -O3 and ThinLTO objdump		2026-06-16 21:02:51 -04:00
..
jemalloc	Speculative fix for Veracode integer overflow/underflow in sz.h	2026-06-16 21:02:51 -04:00
msvc_compat	Reformat the codebase with the clang-format 18.	2026-03-10 18:14:33 -07:00