mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1181704 - Import chromium SafeSPrintf. r=bobowen
This also imports the unit tests but doesn't arrange to run them. Including the tests in our xul-gtest is possible but not trivial: there are logging dependencies, and they use a different #include path for gtest.h (which we'd need to patch). Upstream revision: df7cc6c04725630dd4460f29d858a77507343b24.
This commit is contained in:
parent
ade5a8d7be
commit
bad4183e1d
685
security/sandbox/chromium/base/strings/safe_sprintf.cc
Normal file
685
security/sandbox/chromium/base/strings/safe_sprintf.cc
Normal file
@ -0,0 +1,685 @@
|
||||
// Copyright 2013 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "base/strings/safe_sprintf.h"
|
||||
|
||||
#include <limits>
|
||||
|
||||
#if !defined(NDEBUG)
|
||||
// In debug builds, we use RAW_CHECK() to print useful error messages, if
|
||||
// SafeSPrintf() is called with broken arguments.
|
||||
// As our contract promises that SafeSPrintf() can be called from any
|
||||
// restricted run-time context, it is not actually safe to call logging
|
||||
// functions from it; and we only ever do so for debug builds and hope for the
|
||||
// best. We should _never_ call any logging function other than RAW_CHECK(),
|
||||
// and we should _never_ include any logging code that is active in production
|
||||
// builds. Most notably, we should not include these logging functions in
|
||||
// unofficial release builds, even though those builds would otherwise have
|
||||
// DCHECKS() enabled.
|
||||
// In other words; please do not remove the #ifdef around this #include.
|
||||
// Instead, in production builds we opt for returning a degraded result,
|
||||
// whenever an error is encountered.
|
||||
// E.g. The broken function call
|
||||
// SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
|
||||
// will print something like
|
||||
// errno = 13, (%x)
|
||||
// instead of
|
||||
// errno = 13 (Access denied)
|
||||
// In most of the anticipated use cases, that's probably the preferred
|
||||
// behavior.
|
||||
#include "base/logging.h"
|
||||
#define DEBUG_CHECK RAW_CHECK
|
||||
#else
|
||||
#define DEBUG_CHECK(x) do { if (x) { } } while (0)
|
||||
#endif
|
||||
|
||||
namespace base {
|
||||
namespace strings {
|
||||
|
||||
// The code in this file is extremely careful to be async-signal-safe.
|
||||
//
|
||||
// Most obviously, we avoid calling any code that could dynamically allocate
|
||||
// memory. Doing so would almost certainly result in bugs and dead-locks.
|
||||
// We also avoid calling any other STL functions that could have unintended
|
||||
// side-effects involving memory allocation or access to other shared
|
||||
// resources.
|
||||
//
|
||||
// But on top of that, we also avoid calling other library functions, as many
|
||||
// of them have the side-effect of calling getenv() (in order to deal with
|
||||
// localization) or accessing errno. The latter sounds benign, but there are
|
||||
// several execution contexts where it isn't even possible to safely read let
|
||||
// alone write errno.
|
||||
//
|
||||
// The stated design goal of the SafeSPrintf() function is that it can be
|
||||
// called from any context that can safely call C or C++ code (i.e. anything
|
||||
// that doesn't require assembly code).
|
||||
//
|
||||
// For a brief overview of some but not all of the issues with async-signal-
|
||||
// safety, refer to:
|
||||
// http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
|
||||
|
||||
namespace {
|
||||
const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
|
||||
|
||||
const char kUpCaseHexDigits[] = "0123456789ABCDEF";
|
||||
const char kDownCaseHexDigits[] = "0123456789abcdef";
|
||||
}
|
||||
|
||||
#if defined(NDEBUG)
|
||||
// We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
|
||||
// but C++ doesn't allow us to do that for constants. Instead, we have to
|
||||
// use careful casting and shifting. We later use a COMPILE_ASSERT to
|
||||
// verify that this worked correctly.
|
||||
namespace {
|
||||
const size_t kSSizeMax = kSSizeMaxConst;
|
||||
}
|
||||
#else // defined(NDEBUG)
|
||||
// For efficiency, we really need kSSizeMax to be a constant. But for unit
|
||||
// tests, it should be adjustable. This allows us to verify edge cases without
|
||||
// having to fill the entire available address space. As a compromise, we make
|
||||
// kSSizeMax adjustable in debug builds, and then only compile that particular
|
||||
// part of the unit test in debug builds.
|
||||
namespace {
|
||||
static size_t kSSizeMax = kSSizeMaxConst;
|
||||
}
|
||||
|
||||
namespace internal {
|
||||
void SetSafeSPrintfSSizeMaxForTest(size_t max) {
|
||||
kSSizeMax = max;
|
||||
}
|
||||
|
||||
size_t GetSafeSPrintfSSizeMaxForTest() {
|
||||
return kSSizeMax;
|
||||
}
|
||||
}
|
||||
#endif // defined(NDEBUG)
|
||||
|
||||
namespace {
|
||||
class Buffer {
|
||||
public:
|
||||
// |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
|
||||
// has |size| bytes of writable storage. It is the caller's responsibility
|
||||
// to ensure that the buffer is at least one byte in size, so that it fits
|
||||
// the trailing NUL that will be added by the destructor. The buffer also
|
||||
// must be smaller or equal to kSSizeMax in size.
|
||||
Buffer(char* buffer, size_t size)
|
||||
: buffer_(buffer),
|
||||
size_(size - 1), // Account for trailing NUL byte
|
||||
count_(0) {
|
||||
// The following assertion does not build on Mac and Android. This is because
|
||||
// static_assert only works with compile-time constants, but mac uses
|
||||
// libstdc++4.2 and android uses stlport, which both don't mark
|
||||
// numeric_limits::max() as constexp. Likewise, MSVS2013's standard library
|
||||
// also doesn't mark max() as constexpr yet. cl.exe supports static_cast but
|
||||
// doesn't really implement constexpr yet so it doesn't complain, but clang
|
||||
// does.
|
||||
#if __cplusplus >= 201103 && !defined(OS_ANDROID) && !defined(OS_MACOSX) && \
|
||||
!defined(OS_IOS) && !(defined(__clang__) && defined(OS_WIN))
|
||||
COMPILE_ASSERT(kSSizeMaxConst == \
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()),
|
||||
kSSizeMax_is_the_max_value_of_an_ssize_t);
|
||||
#endif
|
||||
DEBUG_CHECK(size > 0);
|
||||
DEBUG_CHECK(size <= kSSizeMax);
|
||||
}
|
||||
|
||||
~Buffer() {
|
||||
// The code calling the constructor guaranteed that there was enough space
|
||||
// to store a trailing NUL -- and in debug builds, we are actually
|
||||
// verifying this with DEBUG_CHECK()s in the constructor. So, we can
|
||||
// always unconditionally write the NUL byte in the destructor. We do not
|
||||
// need to adjust the count_, as SafeSPrintf() copies snprintf() in not
|
||||
// including the NUL byte in its return code.
|
||||
*GetInsertionPoint() = '\000';
|
||||
}
|
||||
|
||||
// Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
|
||||
// caller can now stop adding more data, as GetCount() has reached its
|
||||
// maximum possible value.
|
||||
inline bool OutOfAddressableSpace() const {
|
||||
return count_ == static_cast<size_t>(kSSizeMax - 1);
|
||||
}
|
||||
|
||||
// Returns the number of bytes that would have been emitted to |buffer_|
|
||||
// if it was sized sufficiently large. This number can be larger than
|
||||
// |size_|, if the caller provided an insufficiently large output buffer.
|
||||
// But it will never be bigger than |kSSizeMax-1|.
|
||||
inline ssize_t GetCount() const {
|
||||
DEBUG_CHECK(count_ < kSSizeMax);
|
||||
return static_cast<ssize_t>(count_);
|
||||
}
|
||||
|
||||
// Emits one |ch| character into the |buffer_| and updates the |count_| of
|
||||
// characters that are currently supposed to be in the buffer.
|
||||
// Returns "false", iff the buffer was already full.
|
||||
// N.B. |count_| increases even if no characters have been written. This is
|
||||
// needed so that GetCount() can return the number of bytes that should
|
||||
// have been allocated for the |buffer_|.
|
||||
inline bool Out(char ch) {
|
||||
if (size_ >= 1 && count_ < size_) {
|
||||
buffer_[count_] = ch;
|
||||
return IncrementCountByOne();
|
||||
}
|
||||
// |count_| still needs to be updated, even if the buffer has been
|
||||
// filled completely. This allows SafeSPrintf() to return the number of
|
||||
// bytes that should have been emitted.
|
||||
IncrementCountByOne();
|
||||
return false;
|
||||
}
|
||||
|
||||
// Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
|
||||
// |count_| will also be incremented by the number of bytes that were meant
|
||||
// to be emitted. The |pad| character is typically either a ' ' space
|
||||
// or a '0' zero, but other non-NUL values are legal.
|
||||
// Returns "false", iff the the |buffer_| filled up (i.e. |count_|
|
||||
// overflowed |size_|) at any time during padding.
|
||||
inline bool Pad(char pad, size_t padding, size_t len) {
|
||||
DEBUG_CHECK(pad);
|
||||
DEBUG_CHECK(padding <= kSSizeMax);
|
||||
for (; padding > len; --padding) {
|
||||
if (!Out(pad)) {
|
||||
if (--padding) {
|
||||
IncrementCount(padding-len);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// POSIX doesn't define any async-signal-safe function for converting
|
||||
// an integer to ASCII. Define our own version.
|
||||
//
|
||||
// This also gives us the ability to make the function a little more
|
||||
// powerful and have it deal with |padding|, with truncation, and with
|
||||
// predicting the length of the untruncated output.
|
||||
//
|
||||
// IToASCII() converts an integer |i| to ASCII.
|
||||
//
|
||||
// Unlike similar functions in the standard C library, it never appends a
|
||||
// NUL character. This is left for the caller to do.
|
||||
//
|
||||
// While the function signature takes a signed int64_t, the code decides at
|
||||
// run-time whether to treat the argument as signed (int64_t) or as unsigned
|
||||
// (uint64_t) based on the value of |sign|.
|
||||
//
|
||||
// It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
|
||||
// a |sign|. Otherwise, |i| is treated as unsigned.
|
||||
//
|
||||
// For bases larger than 10, |upcase| decides whether lower-case or upper-
|
||||
// case letters should be used to designate digits greater than 10.
|
||||
//
|
||||
// Padding can be done with either '0' zeros or ' ' spaces. Padding has to
|
||||
// be positive and will always be applied to the left of the output.
|
||||
//
|
||||
// Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
|
||||
// the left of |padding|, if |pad| is '0'; and to the right of |padding|
|
||||
// if |pad| is ' '.
|
||||
//
|
||||
// Returns "false", if the |buffer_| overflowed at any time.
|
||||
bool IToASCII(bool sign, bool upcase, int64_t i, int base,
|
||||
char pad, size_t padding, const char* prefix);
|
||||
|
||||
private:
|
||||
// Increments |count_| by |inc| unless this would cause |count_| to
|
||||
// overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
|
||||
// it then clamps |count_| to |kSSizeMax-1|.
|
||||
inline bool IncrementCount(size_t inc) {
|
||||
// "inc" is either 1 or a "padding" value. Padding is clamped at
|
||||
// run-time to at most kSSizeMax-1. So, we know that "inc" is always in
|
||||
// the range 1..kSSizeMax-1.
|
||||
// This allows us to compute "kSSizeMax - 1 - inc" without incurring any
|
||||
// integer overflows.
|
||||
DEBUG_CHECK(inc <= kSSizeMax - 1);
|
||||
if (count_ > kSSizeMax - 1 - inc) {
|
||||
count_ = kSSizeMax - 1;
|
||||
return false;
|
||||
} else {
|
||||
count_ += inc;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// Convenience method for the common case of incrementing |count_| by one.
|
||||
inline bool IncrementCountByOne() {
|
||||
return IncrementCount(1);
|
||||
}
|
||||
|
||||
// Return the current insertion point into the buffer. This is typically
|
||||
// at |buffer_| + |count_|, but could be before that if truncation
|
||||
// happened. It always points to one byte past the last byte that was
|
||||
// successfully placed into the |buffer_|.
|
||||
inline char* GetInsertionPoint() const {
|
||||
size_t idx = count_;
|
||||
if (idx > size_) {
|
||||
idx = size_;
|
||||
}
|
||||
return buffer_ + idx;
|
||||
}
|
||||
|
||||
// User-provided buffer that will receive the fully formatted output string.
|
||||
char* buffer_;
|
||||
|
||||
// Number of bytes that are available in the buffer excluding the trailing
|
||||
// NUL byte that will be added by the destructor.
|
||||
const size_t size_;
|
||||
|
||||
// Number of bytes that would have been emitted to the buffer, if the buffer
|
||||
// was sufficiently big. This number always excludes the trailing NUL byte
|
||||
// and it is guaranteed to never grow bigger than kSSizeMax-1.
|
||||
size_t count_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(Buffer);
|
||||
};
|
||||
|
||||
|
||||
bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base,
|
||||
char pad, size_t padding, const char* prefix) {
|
||||
// Sanity check for parameters. None of these should ever fail, but see
|
||||
// above for the rationale why we can't call CHECK().
|
||||
DEBUG_CHECK(base >= 2);
|
||||
DEBUG_CHECK(base <= 16);
|
||||
DEBUG_CHECK(!sign || base == 10);
|
||||
DEBUG_CHECK(pad == '0' || pad == ' ');
|
||||
DEBUG_CHECK(padding <= kSSizeMax);
|
||||
DEBUG_CHECK(!(sign && prefix && *prefix));
|
||||
|
||||
// Handle negative numbers, if the caller indicated that |i| should be
|
||||
// treated as a signed number; otherwise treat |i| as unsigned (even if the
|
||||
// MSB is set!)
|
||||
// Details are tricky, because of limited data-types, but equivalent pseudo-
|
||||
// code would look like:
|
||||
// if (sign && i < 0)
|
||||
// prefix = "-";
|
||||
// num = abs(i);
|
||||
int minint = 0;
|
||||
uint64_t num;
|
||||
if (sign && i < 0) {
|
||||
prefix = "-";
|
||||
|
||||
// Turn our number positive.
|
||||
if (i == std::numeric_limits<int64_t>::min()) {
|
||||
// The most negative integer needs special treatment.
|
||||
minint = 1;
|
||||
num = static_cast<uint64_t>(-(i + 1));
|
||||
} else {
|
||||
// "Normal" negative numbers are easy.
|
||||
num = static_cast<uint64_t>(-i);
|
||||
}
|
||||
} else {
|
||||
num = static_cast<uint64_t>(i);
|
||||
}
|
||||
|
||||
// If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
|
||||
// make the prefix accessible in reverse order, so that we can later output
|
||||
// it right between padding and the number.
|
||||
// We cannot choose the easier approach of just reversing the number, as that
|
||||
// fails in situations where we need to truncate numbers that have padding
|
||||
// and/or prefixes.
|
||||
const char* reverse_prefix = NULL;
|
||||
if (prefix && *prefix) {
|
||||
if (pad == '0') {
|
||||
while (*prefix) {
|
||||
if (padding) {
|
||||
--padding;
|
||||
}
|
||||
Out(*prefix++);
|
||||
}
|
||||
prefix = NULL;
|
||||
} else {
|
||||
for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
|
||||
}
|
||||
}
|
||||
} else
|
||||
prefix = NULL;
|
||||
const size_t prefix_length = reverse_prefix - prefix;
|
||||
|
||||
// Loop until we have converted the entire number. Output at least one
|
||||
// character (i.e. '0').
|
||||
size_t start = count_;
|
||||
size_t discarded = 0;
|
||||
bool started = false;
|
||||
do {
|
||||
// Make sure there is still enough space left in our output buffer.
|
||||
if (count_ >= size_) {
|
||||
if (start < size_) {
|
||||
// It is rare that we need to output a partial number. But if asked
|
||||
// to do so, we will still make sure we output the correct number of
|
||||
// leading digits.
|
||||
// Since we are generating the digits in reverse order, we actually
|
||||
// have to discard digits in the order that we have already emitted
|
||||
// them. This is essentially equivalent to:
|
||||
// memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
|
||||
for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
|
||||
move < end;
|
||||
++move) {
|
||||
*move = move[1];
|
||||
}
|
||||
++discarded;
|
||||
--count_;
|
||||
} else if (count_ - size_ > 1) {
|
||||
// Need to increment either |count_| or |discarded| to make progress.
|
||||
// The latter is more efficient, as it eventually triggers fast
|
||||
// handling of padding. But we have to ensure we don't accidentally
|
||||
// change the overall state (i.e. switch the state-machine from
|
||||
// discarding to non-discarding). |count_| needs to always stay
|
||||
// bigger than |size_|.
|
||||
--count_;
|
||||
++discarded;
|
||||
}
|
||||
}
|
||||
|
||||
// Output the next digit and (if necessary) compensate for the most
|
||||
// negative integer needing special treatment. This works because,
|
||||
// no matter the bit width of the integer, the lowest-most decimal
|
||||
// integer always ends in 2, 4, 6, or 8.
|
||||
if (!num && started) {
|
||||
if (reverse_prefix > prefix) {
|
||||
Out(*--reverse_prefix);
|
||||
} else {
|
||||
Out(pad);
|
||||
}
|
||||
} else {
|
||||
started = true;
|
||||
Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]);
|
||||
}
|
||||
|
||||
minint = 0;
|
||||
num /= base;
|
||||
|
||||
// Add padding, if requested.
|
||||
if (padding > 0) {
|
||||
--padding;
|
||||
|
||||
// Performance optimization for when we are asked to output excessive
|
||||
// padding, but our output buffer is limited in size. Even if we output
|
||||
// a 64bit number in binary, we would never write more than 64 plus
|
||||
// prefix non-padding characters. So, once this limit has been passed,
|
||||
// any further state change can be computed arithmetically; we know that
|
||||
// by this time, our entire final output consists of padding characters
|
||||
// that have all already been output.
|
||||
if (discarded > 8*sizeof(num) + prefix_length) {
|
||||
IncrementCount(padding);
|
||||
padding = 0;
|
||||
}
|
||||
}
|
||||
} while (num || padding || (reverse_prefix > prefix));
|
||||
|
||||
// Conversion to ASCII actually resulted in the digits being in reverse
|
||||
// order. We can't easily generate them in forward order, as we can't tell
|
||||
// the number of characters needed until we are done converting.
|
||||
// So, now, we reverse the string (except for the possible '-' sign).
|
||||
char* front = buffer_ + start;
|
||||
char* back = GetInsertionPoint();
|
||||
while (--back > front) {
|
||||
char ch = *back;
|
||||
*back = *front;
|
||||
*front++ = ch;
|
||||
}
|
||||
|
||||
IncrementCount(discarded);
|
||||
return !discarded;
|
||||
}
|
||||
|
||||
} // anonymous namespace
|
||||
|
||||
namespace internal {
|
||||
|
||||
ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
|
||||
const size_t max_args) {
|
||||
// Make sure that at least one NUL byte can be written, and that the buffer
|
||||
// never overflows kSSizeMax. Not only does that use up most or all of the
|
||||
// address space, it also would result in a return code that cannot be
|
||||
// represented.
|
||||
if (static_cast<ssize_t>(sz) < 1) {
|
||||
return -1;
|
||||
} else if (sz > kSSizeMax) {
|
||||
sz = kSSizeMax;
|
||||
}
|
||||
|
||||
// Iterate over format string and interpret '%' arguments as they are
|
||||
// encountered.
|
||||
Buffer buffer(buf, sz);
|
||||
size_t padding;
|
||||
char pad;
|
||||
for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
|
||||
if (*fmt++ == '%') {
|
||||
padding = 0;
|
||||
pad = ' ';
|
||||
char ch = *fmt++;
|
||||
format_character_found:
|
||||
switch (ch) {
|
||||
case '0': case '1': case '2': case '3': case '4':
|
||||
case '5': case '6': case '7': case '8': case '9':
|
||||
// Found a width parameter. Convert to an integer value and store in
|
||||
// "padding". If the leading digit is a zero, change the padding
|
||||
// character from a space ' ' to a zero '0'.
|
||||
pad = ch == '0' ? '0' : ' ';
|
||||
for (;;) {
|
||||
// The maximum allowed padding fills all the available address
|
||||
// space and leaves just enough space to insert the trailing NUL.
|
||||
const size_t max_padding = kSSizeMax - 1;
|
||||
if (padding > max_padding/10 ||
|
||||
10*padding > max_padding - (ch - '0')) {
|
||||
DEBUG_CHECK(padding <= max_padding/10 &&
|
||||
10*padding <= max_padding - (ch - '0'));
|
||||
// Integer overflow detected. Skip the rest of the width until
|
||||
// we find the format character, then do the normal error handling.
|
||||
padding_overflow:
|
||||
padding = max_padding;
|
||||
while ((ch = *fmt++) >= '0' && ch <= '9') {
|
||||
}
|
||||
if (cur_arg < max_args) {
|
||||
++cur_arg;
|
||||
}
|
||||
goto fail_to_expand;
|
||||
}
|
||||
padding = 10*padding + ch - '0';
|
||||
if (padding > max_padding) {
|
||||
// This doesn't happen for "sane" values of kSSizeMax. But once
|
||||
// kSSizeMax gets smaller than about 10, our earlier range checks
|
||||
// are incomplete. Unittests do trigger this artificial corner
|
||||
// case.
|
||||
DEBUG_CHECK(padding <= max_padding);
|
||||
goto padding_overflow;
|
||||
}
|
||||
ch = *fmt++;
|
||||
if (ch < '0' || ch > '9') {
|
||||
// Reached the end of the width parameter. This is where the format
|
||||
// character is found.
|
||||
goto format_character_found;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 'c': { // Output an ASCII character.
|
||||
// Check that there are arguments left to be inserted.
|
||||
if (cur_arg >= max_args) {
|
||||
DEBUG_CHECK(cur_arg < max_args);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
// Check that the argument has the expected type.
|
||||
const Arg& arg = args[cur_arg++];
|
||||
if (arg.type != Arg::INT && arg.type != Arg::UINT) {
|
||||
DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
// Apply padding, if needed.
|
||||
buffer.Pad(' ', padding, 1);
|
||||
|
||||
// Convert the argument to an ASCII character and output it.
|
||||
char ch = static_cast<char>(arg.integer.i);
|
||||
if (!ch) {
|
||||
goto end_of_output_buffer;
|
||||
}
|
||||
buffer.Out(ch);
|
||||
break; }
|
||||
case 'd': // Output a possibly signed decimal value.
|
||||
case 'o': // Output an unsigned octal value.
|
||||
case 'x': // Output an unsigned hexadecimal value.
|
||||
case 'X':
|
||||
case 'p': { // Output a pointer value.
|
||||
// Check that there are arguments left to be inserted.
|
||||
if (cur_arg >= max_args) {
|
||||
DEBUG_CHECK(cur_arg < max_args);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
const Arg& arg = args[cur_arg++];
|
||||
int64_t i;
|
||||
const char* prefix = NULL;
|
||||
if (ch != 'p') {
|
||||
// Check that the argument has the expected type.
|
||||
if (arg.type != Arg::INT && arg.type != Arg::UINT) {
|
||||
DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
i = arg.integer.i;
|
||||
|
||||
if (ch != 'd') {
|
||||
// The Arg() constructor automatically performed sign expansion on
|
||||
// signed parameters. This is great when outputting a %d decimal
|
||||
// number, but can result in unexpected leading 0xFF bytes when
|
||||
// outputting a %x hexadecimal number. Mask bits, if necessary.
|
||||
// We have to do this here, instead of in the Arg() constructor, as
|
||||
// the Arg() constructor cannot tell whether we will output a %d
|
||||
// or a %x. Only the latter should experience masking.
|
||||
if (arg.integer.width < sizeof(int64_t)) {
|
||||
i &= (1LL << (8*arg.integer.width)) - 1;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Pointer values require an actual pointer or a string.
|
||||
if (arg.type == Arg::POINTER) {
|
||||
i = reinterpret_cast<uintptr_t>(arg.ptr);
|
||||
} else if (arg.type == Arg::STRING) {
|
||||
i = reinterpret_cast<uintptr_t>(arg.str);
|
||||
} else if (arg.type == Arg::INT &&
|
||||
arg.integer.width == sizeof(NULL) &&
|
||||
arg.integer.i == 0) { // Allow C++'s version of NULL
|
||||
i = 0;
|
||||
} else {
|
||||
DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
// Pointers always include the "0x" prefix.
|
||||
prefix = "0x";
|
||||
}
|
||||
|
||||
// Use IToASCII() to convert to ASCII representation. For decimal
|
||||
// numbers, optionally print a sign. For hexadecimal numbers,
|
||||
// distinguish between upper and lower case. %p addresses are always
|
||||
// printed as upcase. Supports base 8, 10, and 16. Prints padding
|
||||
// and/or prefixes, if so requested.
|
||||
buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
|
||||
ch != 'x', i,
|
||||
ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
|
||||
pad, padding, prefix);
|
||||
break; }
|
||||
case 's': {
|
||||
// Check that there are arguments left to be inserted.
|
||||
if (cur_arg >= max_args) {
|
||||
DEBUG_CHECK(cur_arg < max_args);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
// Check that the argument has the expected type.
|
||||
const Arg& arg = args[cur_arg++];
|
||||
const char *s;
|
||||
if (arg.type == Arg::STRING) {
|
||||
s = arg.str ? arg.str : "<NULL>";
|
||||
} else if (arg.type == Arg::INT && arg.integer.width == sizeof(NULL) &&
|
||||
arg.integer.i == 0) { // Allow C++'s version of NULL
|
||||
s = "<NULL>";
|
||||
} else {
|
||||
DEBUG_CHECK(arg.type == Arg::STRING);
|
||||
goto fail_to_expand;
|
||||
}
|
||||
|
||||
// Apply padding, if needed. This requires us to first check the
|
||||
// length of the string that we are outputting.
|
||||
if (padding) {
|
||||
size_t len = 0;
|
||||
for (const char* src = s; *src++; ) {
|
||||
++len;
|
||||
}
|
||||
buffer.Pad(' ', padding, len);
|
||||
}
|
||||
|
||||
// Printing a string involves nothing more than copying it into the
|
||||
// output buffer and making sure we don't output more bytes than
|
||||
// available space; Out() takes care of doing that.
|
||||
for (const char* src = s; *src; ) {
|
||||
buffer.Out(*src++);
|
||||
}
|
||||
break; }
|
||||
case '%':
|
||||
// Quoted percent '%' character.
|
||||
goto copy_verbatim;
|
||||
fail_to_expand:
|
||||
// C++ gives us tools to do type checking -- something that snprintf()
|
||||
// could never really do. So, whenever we see arguments that don't
|
||||
// match up with the format string, we refuse to output them. But
|
||||
// since we have to be extremely conservative about being async-
|
||||
// signal-safe, we are limited in the type of error handling that we
|
||||
// can do in production builds (in debug builds we can use
|
||||
// DEBUG_CHECK() and hope for the best). So, all we do is pass the
|
||||
// format string unchanged. That should eventually get the user's
|
||||
// attention; and in the meantime, it hopefully doesn't lose too much
|
||||
// data.
|
||||
default:
|
||||
// Unknown or unsupported format character. Just copy verbatim to
|
||||
// output.
|
||||
buffer.Out('%');
|
||||
DEBUG_CHECK(ch);
|
||||
if (!ch) {
|
||||
goto end_of_format_string;
|
||||
}
|
||||
buffer.Out(ch);
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
copy_verbatim:
|
||||
buffer.Out(fmt[-1]);
|
||||
}
|
||||
}
|
||||
end_of_format_string:
|
||||
end_of_output_buffer:
|
||||
return buffer.GetCount();
|
||||
}
|
||||
|
||||
} // namespace internal
|
||||
|
||||
ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
|
||||
// Make sure that at least one NUL byte can be written, and that the buffer
|
||||
// never overflows kSSizeMax. Not only does that use up most or all of the
|
||||
// address space, it also would result in a return code that cannot be
|
||||
// represented.
|
||||
if (static_cast<ssize_t>(sz) < 1) {
|
||||
return -1;
|
||||
} else if (sz > kSSizeMax) {
|
||||
sz = kSSizeMax;
|
||||
}
|
||||
|
||||
Buffer buffer(buf, sz);
|
||||
|
||||
// In the slow-path, we deal with errors by copying the contents of
|
||||
// "fmt" unexpanded. This means, if there are no arguments passed, the
|
||||
// SafeSPrintf() function always degenerates to a version of strncpy() that
|
||||
// de-duplicates '%' characters.
|
||||
const char* src = fmt;
|
||||
for (; *src; ++src) {
|
||||
buffer.Out(*src);
|
||||
DEBUG_CHECK(src[0] != '%' || src[1] == '%');
|
||||
if (src[0] == '%' && src[1] == '%') {
|
||||
++src;
|
||||
}
|
||||
}
|
||||
return buffer.GetCount();
|
||||
}
|
||||
|
||||
} // namespace strings
|
||||
} // namespace base
|
247
security/sandbox/chromium/base/strings/safe_sprintf.h
Normal file
247
security/sandbox/chromium/base/strings/safe_sprintf.h
Normal file
@ -0,0 +1,247 @@
|
||||
// Copyright 2013 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef BASE_STRINGS_SAFE_SPRINTF_H_
|
||||
#define BASE_STRINGS_SAFE_SPRINTF_H_
|
||||
|
||||
#include "build/build_config.h"
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#if defined(OS_POSIX)
|
||||
// For ssize_t
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
#include "base/base_export.h"
|
||||
#include "base/basictypes.h"
|
||||
|
||||
namespace base {
|
||||
namespace strings {
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
// Define ssize_t inside of our namespace.
|
||||
#if defined(_WIN64)
|
||||
typedef __int64 ssize_t;
|
||||
#else
|
||||
typedef long ssize_t;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
// SafeSPrintf() is a type-safe and completely self-contained version of
|
||||
// snprintf().
|
||||
//
|
||||
// SafeSNPrintf() is an alternative function signature that can be used when
|
||||
// not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
|
||||
// always be used instead of SafeSNPrintf()
|
||||
//
|
||||
// These functions allow for formatting complicated messages from contexts that
|
||||
// require strict async-signal-safety. In fact, it is safe to call them from
|
||||
// any low-level execution context, as they are guaranteed to make no library
|
||||
// or system calls. It deliberately never touches "errno", either.
|
||||
//
|
||||
// The only exception to this rule is that in debug builds the code calls
|
||||
// RAW_CHECK() to help diagnose problems when the format string does not
|
||||
// match the rest of the arguments. In release builds, no CHECK()s are used,
|
||||
// and SafeSPrintf() instead returns an output string that expands only
|
||||
// those arguments that match their format characters. Mismatched arguments
|
||||
// are ignored.
|
||||
//
|
||||
// The code currently only supports a subset of format characters:
|
||||
// %c, %o, %d, %x, %X, %p, and %s.
|
||||
//
|
||||
// SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
|
||||
// values of arbitrary width can be passed to all of the format characters
|
||||
// that expect integers. Thus, it is explicitly legal to pass an "int" to
|
||||
// "%c", and output will automatically look at the LSB only. It is also
|
||||
// explicitly legal to pass either signed or unsigned values, and the format
|
||||
// characters will automatically interpret the arguments accordingly.
|
||||
//
|
||||
// It is still not legal to mix-and-match integer-like values with pointer
|
||||
// values. For instance, you cannot pass a pointer to %x, nor can you pass an
|
||||
// integer to %p.
|
||||
//
|
||||
// The one exception is "0" zero being accepted by "%p". This works-around
|
||||
// the problem of C++ defining NULL as an integer-like value.
|
||||
//
|
||||
// All format characters take an optional width parameter. This must be a
|
||||
// positive integer. For %d, %o, %x, %X and %p, if the width starts with
|
||||
// a leading '0', padding is done with '0' instead of ' ' characters.
|
||||
//
|
||||
// There are a few features of snprintf()-style format strings, that
|
||||
// SafeSPrintf() does not support at this time.
|
||||
//
|
||||
// If an actual user showed up, there is no particularly strong reason they
|
||||
// couldn't be added. But that assumes that the trade-offs between complexity
|
||||
// and utility are favorable.
|
||||
//
|
||||
// For example, adding support for negative padding widths, and for %n are all
|
||||
// likely to be viewed positively. They are all clearly useful, low-risk, easy
|
||||
// to test, don't jeopardize the async-signal-safety of the code, and overall
|
||||
// have little impact on other parts of SafeSPrintf() function.
|
||||
//
|
||||
// On the other hands, adding support for alternate forms, positional
|
||||
// arguments, grouping, wide characters, localization or floating point numbers
|
||||
// are all unlikely to ever be added.
|
||||
//
|
||||
// SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
|
||||
// return the number of bytes needed to store the untruncated output. This
|
||||
// does *not* include the terminating NUL byte.
|
||||
//
|
||||
// They return -1, iff a fatal error happened. This typically can only happen,
|
||||
// if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
|
||||
// can be written). The return value can never be larger than SSIZE_MAX-1.
|
||||
// This ensures that the caller can always add one to the signed return code
|
||||
// in order to determine the amount of storage that needs to be allocated.
|
||||
//
|
||||
// While the code supports type checking and while it is generally very careful
|
||||
// to avoid printing incorrect values, it tends to be conservative in printing
|
||||
// as much as possible, even when given incorrect parameters. Typically, in
|
||||
// case of an error, the format string will not be expanded. (i.e. something
|
||||
// like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for
|
||||
// the use of RAW_CHECK() in debug builds, though.
|
||||
//
|
||||
// Basic example:
|
||||
// char buf[20];
|
||||
// base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
|
||||
//
|
||||
// Example with dynamically sized buffer (async-signal-safe). This code won't
|
||||
// work on Visual studio, as it requires dynamically allocating arrays on the
|
||||
// stack. Consider picking a smaller value for |kMaxSize| if stack size is
|
||||
// limited and known. On the other hand, if the parameters to SafeSNPrintf()
|
||||
// are trusted and not controllable by the user, you can consider eliminating
|
||||
// the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
|
||||
// essentially a no-op that just illustrates how to implement an upper bound:
|
||||
// const size_t kInitialSize = 128;
|
||||
// const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
|
||||
// size_t size = kInitialSize;
|
||||
// for (;;) {
|
||||
// char buf[size];
|
||||
// size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1;
|
||||
// if (sizeof(buf) < kMaxSize && size > kMaxSize) {
|
||||
// size = kMaxSize;
|
||||
// continue;
|
||||
// } else if (size > sizeof(buf))
|
||||
// continue;
|
||||
// write(2, buf, size-1);
|
||||
// break;
|
||||
// }
|
||||
|
||||
namespace internal {
|
||||
// Helpers that use C++ overloading, templates, and specializations to deduce
|
||||
// and record type information from function arguments. This allows us to
|
||||
// later write a type-safe version of snprintf().
|
||||
|
||||
struct Arg {
|
||||
enum Type { INT, UINT, STRING, POINTER };
|
||||
|
||||
// Any integer-like value.
|
||||
Arg(signed char c) : type(INT) {
|
||||
integer.i = c;
|
||||
integer.width = sizeof(char);
|
||||
}
|
||||
Arg(unsigned char c) : type(UINT) {
|
||||
integer.i = c;
|
||||
integer.width = sizeof(char);
|
||||
}
|
||||
Arg(signed short j) : type(INT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(short);
|
||||
}
|
||||
Arg(unsigned short j) : type(UINT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(short);
|
||||
}
|
||||
Arg(signed int j) : type(INT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(int);
|
||||
}
|
||||
Arg(unsigned int j) : type(UINT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(int);
|
||||
}
|
||||
Arg(signed long j) : type(INT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(long);
|
||||
}
|
||||
Arg(unsigned long j) : type(UINT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(long);
|
||||
}
|
||||
Arg(signed long long j) : type(INT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(long long);
|
||||
}
|
||||
Arg(unsigned long long j) : type(UINT) {
|
||||
integer.i = j;
|
||||
integer.width = sizeof(long long);
|
||||
}
|
||||
|
||||
// A C-style text string.
|
||||
Arg(const char* s) : str(s), type(STRING) { }
|
||||
Arg(char* s) : str(s), type(STRING) { }
|
||||
|
||||
// Any pointer value that can be cast to a "void*".
|
||||
template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { }
|
||||
|
||||
union {
|
||||
// An integer-like value.
|
||||
struct {
|
||||
int64_t i;
|
||||
unsigned char width;
|
||||
} integer;
|
||||
|
||||
// A C-style text string.
|
||||
const char* str;
|
||||
|
||||
// A pointer to an arbitrary object.
|
||||
const void* ptr;
|
||||
};
|
||||
const enum Type type;
|
||||
};
|
||||
|
||||
// This is the internal function that performs the actual formatting of
|
||||
// an snprintf()-style format string.
|
||||
BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
|
||||
const Arg* args, size_t max_args);
|
||||
|
||||
#if !defined(NDEBUG)
|
||||
// In debug builds, allow unit tests to artificially lower the kSSizeMax
|
||||
// constant that is used as a hard upper-bound for all buffers. In normal
|
||||
// use, this constant should always be std::numeric_limits<ssize_t>::max().
|
||||
BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max);
|
||||
BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest();
|
||||
#endif
|
||||
|
||||
} // namespace internal
|
||||
|
||||
template<typename... Args>
|
||||
ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
|
||||
// Use Arg() object to record type information and then copy arguments to an
|
||||
// array to make it easier to iterate over them.
|
||||
const internal::Arg arg_array[] = { args... };
|
||||
return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
|
||||
}
|
||||
|
||||
template<size_t N, typename... Args>
|
||||
ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
|
||||
// Use Arg() object to record type information and then copy arguments to an
|
||||
// array to make it easier to iterate over them.
|
||||
const internal::Arg arg_array[] = { args... };
|
||||
return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
|
||||
}
|
||||
|
||||
// Fast-path when we don't actually need to substitute any arguments.
|
||||
BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
|
||||
template<size_t N>
|
||||
inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
|
||||
return SafeSNPrintf(buf, N, fmt);
|
||||
}
|
||||
|
||||
} // namespace strings
|
||||
} // namespace base
|
||||
|
||||
#endif // BASE_STRINGS_SAFE_SPRINTF_H_
|
759
security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc
Normal file
759
security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc
Normal file
@ -0,0 +1,759 @@
|
||||
// Copyright 2013 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "base/strings/safe_sprintf.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <limits>
|
||||
|
||||
#include "base/logging.h"
|
||||
#include "base/memory/scoped_ptr.h"
|
||||
#include "testing/gtest/include/gtest/gtest.h"
|
||||
|
||||
// Death tests on Android are currently very flaky. No need to add more flaky
|
||||
// tests, as they just make it hard to spot real problems.
|
||||
// TODO(markus): See if the restrictions on Android can eventually be lifted.
|
||||
#if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID)
|
||||
#define ALLOW_DEATH_TEST
|
||||
#endif
|
||||
|
||||
namespace base {
|
||||
namespace strings {
|
||||
|
||||
TEST(SafeSPrintfTest, Empty) {
|
||||
char buf[2] = { 'X', 'X' };
|
||||
|
||||
// Negative buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), ""));
|
||||
EXPECT_EQ('X', buf[0]);
|
||||
EXPECT_EQ('X', buf[1]);
|
||||
|
||||
// Zero buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, 0, ""));
|
||||
EXPECT_EQ('X', buf[0]);
|
||||
EXPECT_EQ('X', buf[1]);
|
||||
|
||||
// A one-byte buffer should always print a single NUL byte.
|
||||
EXPECT_EQ(0, SafeSNPrintf(buf, 1, ""));
|
||||
EXPECT_EQ(0, buf[0]);
|
||||
EXPECT_EQ('X', buf[1]);
|
||||
buf[0] = 'X';
|
||||
|
||||
// A larger buffer should leave the trailing bytes unchanged.
|
||||
EXPECT_EQ(0, SafeSNPrintf(buf, 2, ""));
|
||||
EXPECT_EQ(0, buf[0]);
|
||||
EXPECT_EQ('X', buf[1]);
|
||||
buf[0] = 'X';
|
||||
|
||||
// The same test using SafeSPrintf() instead of SafeSNPrintf().
|
||||
EXPECT_EQ(0, SafeSPrintf(buf, ""));
|
||||
EXPECT_EQ(0, buf[0]);
|
||||
EXPECT_EQ('X', buf[1]);
|
||||
buf[0] = 'X';
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, NoArguments) {
|
||||
// Output a text message that doesn't require any substitutions. This
|
||||
// is roughly equivalent to calling strncpy() (but unlike strncpy(), it does
|
||||
// always add a trailing NUL; it always deduplicates '%' characters).
|
||||
static const char text[] = "hello world";
|
||||
char ref[20], buf[20];
|
||||
memset(ref, 'X', sizeof(char) * arraysize(buf));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A negative buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text));
|
||||
EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
|
||||
|
||||
// Zero buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text));
|
||||
EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
|
||||
|
||||
// A one-byte buffer should always print a single NUL byte.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text));
|
||||
EXPECT_EQ(0, buf[0]);
|
||||
EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A larger (but limited) buffer should always leave the trailing bytes
|
||||
// unchanged.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text));
|
||||
EXPECT_EQ(text[0], buf[0]);
|
||||
EXPECT_EQ(0, buf[1]);
|
||||
EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A unrestricted buffer length should always leave the trailing bytes
|
||||
// unchanged.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
|
||||
SafeSNPrintf(buf, sizeof(buf), text));
|
||||
EXPECT_EQ(std::string(text), std::string(buf));
|
||||
EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
|
||||
sizeof(buf) - sizeof(text)));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// The same test using SafeSPrintf() instead of SafeSNPrintf().
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text));
|
||||
EXPECT_EQ(std::string(text), std::string(buf));
|
||||
EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
|
||||
sizeof(buf) - sizeof(text)));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// Check for deduplication of '%' percent characters.
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%%"));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%%"));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%X"));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X"));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%"));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%X"));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%%%X"));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'");
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'");
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'");
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, OneArgument) {
|
||||
// Test basic single-argument single-character substitution.
|
||||
const char text[] = "hello world";
|
||||
const char fmt[] = "hello%cworld";
|
||||
char ref[20], buf[20];
|
||||
memset(ref, 'X', sizeof(buf));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A negative buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' '));
|
||||
EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
|
||||
|
||||
// Zero buffer size should always result in an error.
|
||||
EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' '));
|
||||
EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
|
||||
|
||||
// A one-byte buffer should always print a single NUL byte.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
|
||||
SafeSNPrintf(buf, 1, fmt, ' '));
|
||||
EXPECT_EQ(0, buf[0]);
|
||||
EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A larger (but limited) buffer should always leave the trailing bytes
|
||||
// unchanged.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
|
||||
SafeSNPrintf(buf, 2, fmt, ' '));
|
||||
EXPECT_EQ(text[0], buf[0]);
|
||||
EXPECT_EQ(0, buf[1]);
|
||||
EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// A unrestricted buffer length should always leave the trailing bytes
|
||||
// unchanged.
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
|
||||
SafeSNPrintf(buf, sizeof(buf), fmt, ' '));
|
||||
EXPECT_EQ(std::string(text), std::string(buf));
|
||||
EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
|
||||
sizeof(buf) - sizeof(text)));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// The same test using SafeSPrintf() instead of SafeSNPrintf().
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' '));
|
||||
EXPECT_EQ(std::string(text), std::string(buf));
|
||||
EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
|
||||
sizeof(buf) - sizeof(text)));
|
||||
memcpy(buf, ref, sizeof(buf));
|
||||
|
||||
// Check for deduplication of '%' percent characters.
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%", 0));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch");
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, MissingArg) {
|
||||
#if defined(NDEBUG)
|
||||
char buf[20];
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A'));
|
||||
EXPECT_EQ("A%c", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
char buf[20];
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args");
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, ASANFriendlyBufferTest) {
|
||||
// Print into a buffer that is sized exactly to size. ASAN can verify that
|
||||
// nobody attempts to write past the end of the buffer.
|
||||
// There is a more complicated test in PrintLongString() that covers a lot
|
||||
// more edge case, but it is also harder to debug in case of a failure.
|
||||
const char kTestString[] = "This is a test";
|
||||
scoped_ptr<char[]> buf(new char[sizeof(kTestString)]);
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
|
||||
SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString));
|
||||
EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
|
||||
EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
|
||||
SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString));
|
||||
EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, NArgs) {
|
||||
// Pre-C++11 compilers have a different code path, that can only print
|
||||
// up to ten distinct arguments.
|
||||
// We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't
|
||||
// have typos in the copy-n-pasted code that is needed to deal with various
|
||||
// numbers of arguments.
|
||||
char buf[12];
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1));
|
||||
EXPECT_EQ("\1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2));
|
||||
EXPECT_EQ("\1\2", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3));
|
||||
EXPECT_EQ("\1\2\3", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4));
|
||||
EXPECT_EQ("\1\2\3\4", std::string(buf));
|
||||
EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5));
|
||||
EXPECT_EQ("\1\2\3\4\5", std::string(buf));
|
||||
EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
|
||||
EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
|
||||
EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
|
||||
EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
|
||||
EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
|
||||
EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
|
||||
|
||||
// Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf().
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
|
||||
EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1));
|
||||
EXPECT_EQ("\1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2));
|
||||
EXPECT_EQ("\1\2", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3));
|
||||
EXPECT_EQ("\1\2\3", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4));
|
||||
EXPECT_EQ("\1\2\3\4", std::string(buf));
|
||||
EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5));
|
||||
EXPECT_EQ("\1\2\3\4\5", std::string(buf));
|
||||
EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
|
||||
EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
|
||||
EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
|
||||
EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
|
||||
EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
|
||||
EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
|
||||
|
||||
EXPECT_EQ(11, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf));
|
||||
EXPECT_EQ(11, SafeSNPrintf(buf, 12, "%c%c%c%c%c%c%c%c%c%c%c",
|
||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11));
|
||||
EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf));
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, DataTypes) {
|
||||
char buf[40];
|
||||
|
||||
// Bytes
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1));
|
||||
EXPECT_EQ("255", std::string(buf));
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1));
|
||||
EXPECT_EQ("-1", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128));
|
||||
EXPECT_EQ("-128", std::string(buf));
|
||||
|
||||
// Half-words
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1));
|
||||
EXPECT_EQ("65535", std::string(buf));
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1));
|
||||
EXPECT_EQ("-1", std::string(buf));
|
||||
EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768));
|
||||
EXPECT_EQ("-32768", std::string(buf));
|
||||
|
||||
// Words
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1));
|
||||
EXPECT_EQ("4294967295", std::string(buf));
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1));
|
||||
EXPECT_EQ("-1", std::string(buf));
|
||||
// Work-around for an limitation of C90
|
||||
EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1));
|
||||
EXPECT_EQ("-2147483648", std::string(buf));
|
||||
|
||||
// Quads
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1));
|
||||
EXPECT_EQ("18446744073709551615", std::string(buf));
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1));
|
||||
EXPECT_EQ("-1", std::string(buf));
|
||||
// Work-around for an limitation of C90
|
||||
EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1));
|
||||
EXPECT_EQ("-9223372036854775808", std::string(buf));
|
||||
|
||||
// Strings (both const and mutable).
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "test"));
|
||||
EXPECT_EQ("test", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, buf));
|
||||
EXPECT_EQ("test", std::string(buf));
|
||||
|
||||
// Pointer
|
||||
char addr[20];
|
||||
sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
|
||||
SafeSPrintf(buf, "%p", buf);
|
||||
EXPECT_EQ(std::string(addr), std::string(buf));
|
||||
SafeSPrintf(buf, "%p", (const char *)buf);
|
||||
EXPECT_EQ(std::string(addr), std::string(buf));
|
||||
sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf);
|
||||
SafeSPrintf(buf, "%p", sprintf);
|
||||
EXPECT_EQ(std::string(addr), std::string(buf));
|
||||
|
||||
// Padding for pointers is a little more complicated because of the "0x"
|
||||
// prefix. Padding with '0' zeros is relatively straight-forward, but
|
||||
// padding with ' ' spaces requires more effort.
|
||||
sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf);
|
||||
SafeSPrintf(buf, "%019p", buf);
|
||||
EXPECT_EQ(std::string(addr), std::string(buf));
|
||||
sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
|
||||
memset(addr, ' ',
|
||||
(char*)memmove(addr + sizeof(addr) - strlen(addr) - 1,
|
||||
addr, strlen(addr)+1) - addr);
|
||||
SafeSPrintf(buf, "%19p", buf);
|
||||
EXPECT_EQ(std::string(addr), std::string(buf));
|
||||
}
|
||||
|
||||
namespace {
|
||||
void PrintLongString(char* buf, size_t sz) {
|
||||
// Output a reasonably complex expression into a limited-size buffer.
|
||||
// At least one byte is available for writing the NUL character.
|
||||
CHECK_GT(sz, static_cast<size_t>(0));
|
||||
|
||||
// Allocate slightly more space, so that we can verify that SafeSPrintf()
|
||||
// never writes past the end of the buffer.
|
||||
scoped_ptr<char[]> tmp(new char[sz+2]);
|
||||
memset(tmp.get(), 'X', sz+2);
|
||||
|
||||
// Use SafeSPrintf() to output a complex list of arguments:
|
||||
// - test padding and truncating %c single characters.
|
||||
// - test truncating %s simple strings.
|
||||
// - test mismatching arguments and truncating (for %d != %s).
|
||||
// - test zero-padding and truncating %x hexadecimal numbers.
|
||||
// - test outputting and truncating %d MININT.
|
||||
// - test outputting and truncating %p arbitrary pointer values.
|
||||
// - test outputting, padding and truncating NULL-pointer %s strings.
|
||||
char* out = tmp.get();
|
||||
size_t out_sz = sz;
|
||||
size_t len;
|
||||
for (scoped_ptr<char[]> perfect_buf;;) {
|
||||
size_t needed = SafeSNPrintf(out, out_sz,
|
||||
#if defined(NDEBUG)
|
||||
"A%2cong %s: %d %010X %d %p%7s", 'l', "string", "",
|
||||
#else
|
||||
"A%2cong %s: %%d %010X %d %p%7s", 'l', "string",
|
||||
#endif
|
||||
0xDEADBEEF, std::numeric_limits<intptr_t>::min(),
|
||||
PrintLongString, static_cast<char*>(NULL)) + 1;
|
||||
|
||||
// Various sanity checks:
|
||||
// The numbered of characters needed to print the full string should always
|
||||
// be bigger or equal to the bytes that have actually been output.
|
||||
len = strlen(tmp.get());
|
||||
CHECK_GE(needed, len+1);
|
||||
|
||||
// The number of characters output should always fit into the buffer that
|
||||
// was passed into SafeSPrintf().
|
||||
CHECK_LT(len, out_sz);
|
||||
|
||||
// The output is always terminated with a NUL byte (actually, this test is
|
||||
// always going to pass, as strlen() already verified this)
|
||||
EXPECT_FALSE(tmp[len]);
|
||||
|
||||
// ASAN can check that we are not overwriting buffers, iff we make sure the
|
||||
// buffer is exactly the size that we are expecting to be written. After
|
||||
// running SafeSNPrintf() the first time, it is possible to compute the
|
||||
// correct buffer size for this test. So, allocate a second buffer and run
|
||||
// the exact same SafeSNPrintf() command again.
|
||||
if (!perfect_buf.get()) {
|
||||
out_sz = std::min(needed, sz);
|
||||
out = new char[out_sz];
|
||||
perfect_buf.reset(out);
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// All trailing bytes are unchanged.
|
||||
for (size_t i = len+1; i < sz+2; ++i)
|
||||
EXPECT_EQ('X', tmp[i]);
|
||||
|
||||
// The text that was generated by SafeSPrintf() should always match the
|
||||
// equivalent text generated by sprintf(). Please note that the format
|
||||
// string for sprintf() is not complicated, as it does not have the
|
||||
// benefit of getting type information from the C++ compiler.
|
||||
//
|
||||
// N.B.: It would be so much cleaner to use snprintf(). But unfortunately,
|
||||
// Visual Studio doesn't support this function, and the work-arounds
|
||||
// are all really awkward.
|
||||
char ref[256];
|
||||
CHECK_LE(sz, sizeof(ref));
|
||||
sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>",
|
||||
static_cast<long long>(std::numeric_limits<intptr_t>::min()),
|
||||
static_cast<unsigned long long>(
|
||||
reinterpret_cast<uintptr_t>(PrintLongString)));
|
||||
ref[sz-1] = '\000';
|
||||
|
||||
#if defined(NDEBUG)
|
||||
const size_t kSSizeMax = std::numeric_limits<ssize_t>::max();
|
||||
#else
|
||||
const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest();
|
||||
#endif
|
||||
|
||||
// Compare the output from SafeSPrintf() to the one from sprintf().
|
||||
EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get()));
|
||||
|
||||
// We allocated a slightly larger buffer, so that we could perform some
|
||||
// extra sanity checks. Now that the tests have all passed, we copy the
|
||||
// data to the output buffer that the caller provided.
|
||||
memcpy(buf, tmp.get(), len+1);
|
||||
}
|
||||
|
||||
#if !defined(NDEBUG)
|
||||
class ScopedSafeSPrintfSSizeMaxSetter {
|
||||
public:
|
||||
ScopedSafeSPrintfSSizeMaxSetter(size_t sz) {
|
||||
old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest();
|
||||
internal::SetSafeSPrintfSSizeMaxForTest(sz);
|
||||
}
|
||||
|
||||
~ScopedSafeSPrintfSSizeMaxSetter() {
|
||||
internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_);
|
||||
}
|
||||
|
||||
private:
|
||||
size_t old_ssize_max_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter);
|
||||
};
|
||||
#endif
|
||||
|
||||
} // anonymous namespace
|
||||
|
||||
TEST(SafeSPrintfTest, Truncation) {
|
||||
// We use PrintLongString() to print a complex long string and then
|
||||
// truncate to all possible lengths. This ends up exercising a lot of
|
||||
// different code paths in SafeSPrintf() and IToASCII(), as truncation can
|
||||
// happen in a lot of different states.
|
||||
char ref[256];
|
||||
PrintLongString(ref, sizeof(ref));
|
||||
for (size_t i = strlen(ref)+1; i; --i) {
|
||||
char buf[sizeof(ref)];
|
||||
PrintLongString(buf, i);
|
||||
EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
|
||||
}
|
||||
|
||||
// When compiling in debug mode, we have the ability to fake a small
|
||||
// upper limit for the maximum value that can be stored in an ssize_t.
|
||||
// SafeSPrintf() uses this upper limit to determine how many bytes it will
|
||||
// write to the buffer, even if the caller claimed a bigger buffer size.
|
||||
// Repeat the truncation test and verify that this other code path in
|
||||
// SafeSPrintf() works correctly, too.
|
||||
#if !defined(NDEBUG)
|
||||
for (size_t i = strlen(ref)+1; i > 1; --i) {
|
||||
ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i);
|
||||
char buf[sizeof(ref)];
|
||||
PrintLongString(buf, sizeof(buf));
|
||||
EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
|
||||
}
|
||||
|
||||
// kSSizeMax is also used to constrain the maximum amount of padding, before
|
||||
// SafeSPrintf() detects an error in the format string.
|
||||
ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100);
|
||||
char buf[256];
|
||||
EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' '));
|
||||
EXPECT_EQ(std::string(99, ' '), std::string(buf));
|
||||
*buf = '\000';
|
||||
#if defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding");
|
||||
#endif
|
||||
EXPECT_EQ(0, *buf);
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, Padding) {
|
||||
char buf[40], fmt[40];
|
||||
|
||||
// Chars %c
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A'));
|
||||
EXPECT_EQ("A", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A'));
|
||||
EXPECT_EQ(" A", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A'));
|
||||
EXPECT_EQ(" A", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A'));
|
||||
EXPECT_EQ("%-2c", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A'));
|
||||
SafeSPrintf(fmt, "%%%dc",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A'));
|
||||
EXPECT_EQ("%c", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding");
|
||||
#endif
|
||||
|
||||
// Octal %o
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1));
|
||||
EXPECT_EQ(" 1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1));
|
||||
EXPECT_EQ("01", std::string(buf));
|
||||
EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1));
|
||||
EXPECT_EQ(" 37777777777", std::string(buf));
|
||||
EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1));
|
||||
EXPECT_EQ("037777777777", std::string(buf));
|
||||
EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL));
|
||||
EXPECT_EQ(" 1777777777777777777777", std::string(buf));
|
||||
EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL));
|
||||
EXPECT_EQ("01777777777777777777777", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111));
|
||||
EXPECT_EQ("111", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1));
|
||||
EXPECT_EQ("%-2o", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ("000", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%do",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
|
||||
EXPECT_EQ("%o", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
|
||||
#endif
|
||||
|
||||
// Decimals %d
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1));
|
||||
EXPECT_EQ(" 1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1));
|
||||
EXPECT_EQ("01", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1));
|
||||
EXPECT_EQ(" -1", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1));
|
||||
EXPECT_EQ("-01", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111));
|
||||
EXPECT_EQ("111", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111));
|
||||
EXPECT_EQ("-111", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1));
|
||||
EXPECT_EQ("%-2d", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ("000", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dd",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
|
||||
EXPECT_EQ("%d", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
|
||||
#endif
|
||||
|
||||
// Hex %X
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1));
|
||||
EXPECT_EQ("1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1));
|
||||
EXPECT_EQ(" 1", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1));
|
||||
EXPECT_EQ("01", std::string(buf));
|
||||
EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1));
|
||||
EXPECT_EQ(" FFFFFFFF", std::string(buf));
|
||||
EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1));
|
||||
EXPECT_EQ("0FFFFFFFF", std::string(buf));
|
||||
EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL));
|
||||
EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf));
|
||||
EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL));
|
||||
EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111));
|
||||
EXPECT_EQ("111", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1));
|
||||
EXPECT_EQ("%-2X", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, 1));
|
||||
EXPECT_EQ("000", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dX",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
|
||||
EXPECT_EQ("%X", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
|
||||
#endif
|
||||
|
||||
// Pointer %p
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1));
|
||||
EXPECT_EQ("0x1", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1));
|
||||
EXPECT_EQ(" 0x1", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1));
|
||||
EXPECT_EQ("0x01", std::string(buf));
|
||||
EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111));
|
||||
EXPECT_EQ("0x111", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1));
|
||||
EXPECT_EQ("%-2p", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, (void*)1));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, (void*)1));
|
||||
EXPECT_EQ("0x0", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%dp",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
|
||||
EXPECT_EQ("%p", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
|
||||
#endif
|
||||
|
||||
// String
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A"));
|
||||
EXPECT_EQ("A", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A"));
|
||||
EXPECT_EQ(" A", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A"));
|
||||
EXPECT_EQ(" A", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA"));
|
||||
EXPECT_EQ("AAA", std::string(buf));
|
||||
EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A"));
|
||||
EXPECT_EQ("%-2s", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, "A"));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1);
|
||||
EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
|
||||
SafeSNPrintf(buf, 4, fmt, "A"));
|
||||
EXPECT_EQ(" ", std::string(buf));
|
||||
SafeSPrintf(fmt, "%%%ds",
|
||||
static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A"));
|
||||
EXPECT_EQ("%s", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding");
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, EmbeddedNul) {
|
||||
char buf[] = { 'X', 'X', 'X', 'X' };
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0));
|
||||
EXPECT_EQ(' ', buf[0]);
|
||||
EXPECT_EQ(' ', buf[1]);
|
||||
EXPECT_EQ(0, buf[2]);
|
||||
EXPECT_EQ('X', buf[3]);
|
||||
|
||||
// Check handling of a NUL format character. N.B. this takes two different
|
||||
// code paths depending on whether we are actually passing arguments. If
|
||||
// we don't have any arguments, we are running in the fast-path code, that
|
||||
// looks (almost) like a strncpy().
|
||||
#if defined(NDEBUG)
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
|
||||
EXPECT_EQ("%%", std::string(buf));
|
||||
EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
|
||||
EXPECT_EQ("%%", std::string(buf));
|
||||
#elif defined(ALLOW_DEATH_TEST)
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
|
||||
EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, EmitNULL) {
|
||||
char buf[40];
|
||||
#if defined(__GNUC__)
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wconversion-null"
|
||||
#endif
|
||||
EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL));
|
||||
EXPECT_EQ("0", std::string(buf));
|
||||
EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL));
|
||||
EXPECT_EQ("0x0", std::string(buf));
|
||||
EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL));
|
||||
EXPECT_EQ("<NULL>", std::string(buf));
|
||||
#if defined(__GCC__)
|
||||
#pragma GCC diagnostic pop
|
||||
#endif
|
||||
}
|
||||
|
||||
TEST(SafeSPrintfTest, PointerSize) {
|
||||
// The internal data representation is a 64bit value, independent of the
|
||||
// native word size. We want to perform sign-extension for signed integers,
|
||||
// but we want to avoid doing so for pointer types. This could be a
|
||||
// problem on systems, where pointers are only 32bit. This tests verifies
|
||||
// that there is no such problem.
|
||||
char *str = reinterpret_cast<char *>(0x80000000u);
|
||||
void *ptr = str;
|
||||
char buf[40];
|
||||
EXPECT_EQ(10, SafeSPrintf(buf, "%p", str));
|
||||
EXPECT_EQ("0x80000000", std::string(buf));
|
||||
EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr));
|
||||
EXPECT_EQ("0x80000000", std::string(buf));
|
||||
}
|
||||
|
||||
} // namespace strings
|
||||
} // namespace base
|
Loading…
Reference in New Issue
Block a user