From 1a3050926efdf12c47beea38a90b957fa95b8fff Mon Sep 17 00:00:00 2001
From: claw <claw@weiker.me>
Date: Wed, 13 May 2026 05:17:14 -0700
Subject: [PATCH] =?UTF-8?q?fix(gitea):=20address=20review=20findings=20?=
 =?UTF-8?q?=E2=80=94=20clamp=20overflow,=20clarify=20maxSize=20doc?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Clamp maxBytes+1 to prevent integer overflow to negative when
  maxBytes == math.MaxInt64 (falls back to math.MaxInt64)
- Update MaxDiffSize doc: 'any negative value' disables the limit,
  matching actual behavior of 'maxSize < 0' check
---
 gitea/client.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/gitea/client.go b/gitea/client.go
index acd710c..bdc9a4a 100644
--- a/gitea/client.go
+++ b/gitea/client.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"math"
 	"net"
 	"net/http"
 	"net/url"
@@ -69,7 +70,7 @@ type Client struct {
 	RetryBackoff []time.Duration
 
 	// MaxDiffSize is the maximum number of bytes allowed when fetching a PR diff.
-	// If zero, defaults to DefaultMaxDiffSize (10 MB). Set to -1 to disable the limit.
+	// If zero, defaults to DefaultMaxDiffSize (10 MB). Set to any negative value to disable the limit.
 	MaxDiffSize int64
 }
 
@@ -442,7 +443,8 @@ func (c *Client) doGet(ctx context.Context, reqURL string) ([]byte, error) {
 
 // doGetLimited performs an HTTP GET request with retry (like doGet) but enforces
 // a maximum response body size. Returns ErrDiffTooLarge if the response exceeds
-// maxBytes. It reads maxBytes+1 to detect overflow without buffering the entire body.
+// maxBytes. It reads maxBytes+1 (clamped to avoid overflow) to detect truncation
+// without buffering the entire body.
 func (c *Client) doGetLimited(ctx context.Context, reqURL string, maxBytes int64) ([]byte, error) {
 	const maxAttempts = 3
 	backoff := c.RetryBackoff
@@ -495,7 +497,12 @@ func (c *Client) doGetLimited(ctx context.Context, reqURL string, maxBytes int64
 		}
 		if resp.StatusCode >= 200 && resp.StatusCode < 300 {
 			// Read up to maxBytes+1 to detect overflow.
-			limited := io.LimitReader(resp.Body, maxBytes+1)
+			// Clamp to prevent integer overflow when maxBytes == math.MaxInt64.
+			limitBytes := maxBytes + 1
+			if limitBytes <= 0 {
+				limitBytes = math.MaxInt64
+			}
+			limited := io.LimitReader(resp.Body, limitBytes)
 			body, err := io.ReadAll(limited)
 			resp.Body.Close()
 			if err != nil {