1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifdef UNSAFE_BUFFERS_BUILD
6 // TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
7 #pragma allow_unsafe_buffers
8 #endif
9
10 #include "base/strings/safe_sprintf.h"
11
12 #include <errno.h>
13 #include <string.h>
14
15 #include <algorithm>
16 #include <limits>
17
18 #include "base/memory/raw_ptr.h"
19 #include "build/build_config.h"
20
21 #if !defined(NDEBUG)
22 // In debug builds, we use RAW_CHECK() to print useful error messages, if
23 // SafeSPrintf() is called with broken arguments.
24 // As our contract promises that SafeSPrintf() can be called from any
25 // restricted run-time context, it is not actually safe to call logging
26 // functions from it; and we only ever do so for debug builds and hope for the
27 // best. We should _never_ call any logging function other than RAW_CHECK(),
28 // and we should _never_ include any logging code that is active in production
29 // builds. Most notably, we should not include these logging functions in
30 // unofficial release builds, even though those builds would otherwise have
31 // DCHECKS() enabled.
32 // In other words; please do not remove the #ifdef around this #include.
33 // Instead, in production builds we opt for returning a degraded result,
34 // whenever an error is encountered.
35 // E.g. The broken function call
36 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
37 // will print something like
38 // errno = 13, (%x)
39 // instead of
40 // errno = 13 (Access denied)
41 // In most of the anticipated use cases, that's probably the preferred
42 // behavior.
43 #include "base/check.h"
44 #define DEBUG_CHECK RAW_CHECK
45 #else
46 #define DEBUG_CHECK(x) do { if (x) { } } while (0)
47 #endif
48
49 namespace base {
50 namespace strings {
51
52 // The code in this file is extremely careful to be async-signal-safe.
53 //
54 // Most obviously, we avoid calling any code that could dynamically allocate
55 // memory. Doing so would almost certainly result in bugs and dead-locks.
56 // We also avoid calling any other STL functions that could have unintended
57 // side-effects involving memory allocation or access to other shared
58 // resources.
59 //
60 // But on top of that, we also avoid calling other library functions, as many
61 // of them have the side-effect of calling getenv() (in order to deal with
62 // localization) or accessing errno. The latter sounds benign, but there are
63 // several execution contexts where it isn't even possible to safely read let
64 // alone write errno.
65 //
66 // The stated design goal of the SafeSPrintf() function is that it can be
67 // called from any context that can safely call C or C++ code (i.e. anything
68 // that doesn't require assembly code).
69 //
70 // For a brief overview of some but not all of the issues with async-signal-
71 // safety, refer to:
72 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
73
74 namespace {
75 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
76
77 const char kUpCaseHexDigits[] = "0123456789ABCDEF";
78 const char kDownCaseHexDigits[] = "0123456789abcdef";
79 }
80
81 #if defined(NDEBUG)
82 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
83 // but C++ doesn't allow us to do that for constants. Instead, we have to
84 // use careful casting and shifting. We later use a static_assert to
85 // verify that this worked correctly.
86 namespace {
87 const size_t kSSizeMax = kSSizeMaxConst;
88 }
89 #else // defined(NDEBUG)
90 // For efficiency, we really need kSSizeMax to be a constant. But for unit
91 // tests, it should be adjustable. This allows us to verify edge cases without
92 // having to fill the entire available address space. As a compromise, we make
93 // kSSizeMax adjustable in debug builds, and then only compile that particular
94 // part of the unit test in debug builds.
95 namespace {
96 static size_t kSSizeMax = kSSizeMaxConst;
97 }
98
99 namespace internal {
SetSafeSPrintfSSizeMaxForTest(size_t max)100 void SetSafeSPrintfSSizeMaxForTest(size_t max) {
101 kSSizeMax = max;
102 }
103
GetSafeSPrintfSSizeMaxForTest()104 size_t GetSafeSPrintfSSizeMaxForTest() {
105 return kSSizeMax;
106 }
107 }
108 #endif // defined(NDEBUG)
109
110 namespace {
111 class Buffer {
112 public:
113 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
114 // has |size| bytes of writable storage. It is the caller's responsibility
115 // to ensure that the buffer is at least one byte in size, so that it fits
116 // the trailing NUL that will be added by the destructor. The buffer also
117 // must be smaller or equal to kSSizeMax in size.
Buffer(char * buffer,size_t size)118 Buffer(char* buffer, size_t size)
119 : buffer_(buffer),
120 size_(size - 1), // Account for trailing NUL byte
121 count_(0) {
122 // MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
123 // supports static_cast but doesn't really implement constexpr yet so it doesn't
124 // complain, but clang does.
125 #if __cplusplus >= 201103 && !(defined(__clang__) && BUILDFLAG(IS_WIN))
126 static_assert(kSSizeMaxConst ==
127 static_cast<size_t>(std::numeric_limits<ssize_t>::max()),
128 "kSSizeMaxConst should be the max value of an ssize_t");
129 #endif
130 DEBUG_CHECK(size > 0);
131 DEBUG_CHECK(size <= kSSizeMax);
132 }
133
134 Buffer(const Buffer&) = delete;
135 Buffer& operator=(const Buffer&) = delete;
136
~Buffer()137 ~Buffer() {
138 // The code calling the constructor guaranteed that there was enough space
139 // to store a trailing NUL -- and in debug builds, we are actually
140 // verifying this with DEBUG_CHECK()s in the constructor. So, we can
141 // always unconditionally write the NUL byte in the destructor. We do not
142 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
143 // including the NUL byte in its return code.
144 *GetInsertionPoint() = '\000';
145 }
146
147 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
148 // caller can now stop adding more data, as GetCount() has reached its
149 // maximum possible value.
OutOfAddressableSpace() const150 inline bool OutOfAddressableSpace() const {
151 return count_ == static_cast<size_t>(kSSizeMax - 1);
152 }
153
154 // Returns the number of bytes that would have been emitted to |buffer_|
155 // if it was sized sufficiently large. This number can be larger than
156 // |size_|, if the caller provided an insufficiently large output buffer.
157 // But it will never be bigger than |kSSizeMax-1|.
GetCount() const158 inline ssize_t GetCount() const {
159 DEBUG_CHECK(count_ < kSSizeMax);
160 return static_cast<ssize_t>(count_);
161 }
162
163 // Emits one |ch| character into the |buffer_| and updates the |count_| of
164 // characters that are currently supposed to be in the buffer.
165 // Returns "false", iff the buffer was already full.
166 // N.B. |count_| increases even if no characters have been written. This is
167 // needed so that GetCount() can return the number of bytes that should
168 // have been allocated for the |buffer_|.
Out(char ch)169 inline bool Out(char ch) {
170 if (size_ >= 1 && count_ < size_) {
171 buffer_[count_] = ch;
172 return IncrementCountByOne();
173 }
174 // |count_| still needs to be updated, even if the buffer has been
175 // filled completely. This allows SafeSPrintf() to return the number of
176 // bytes that should have been emitted.
177 IncrementCountByOne();
178 return false;
179 }
180
181 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
182 // |count_| will also be incremented by the number of bytes that were meant
183 // to be emitted. The |pad| character is typically either a ' ' space
184 // or a '0' zero, but other non-NUL values are legal.
185 // Returns "false", iff the |buffer_| filled up (i.e. |count_|
186 // overflowed |size_|) at any time during padding.
Pad(char pad,size_t padding,size_t len)187 inline bool Pad(char pad, size_t padding, size_t len) {
188 DEBUG_CHECK(pad);
189 DEBUG_CHECK(padding <= kSSizeMax);
190 for (; padding > len; --padding) {
191 if (!Out(pad)) {
192 if (--padding) {
193 IncrementCount(padding-len);
194 }
195 return false;
196 }
197 }
198 return true;
199 }
200
201 // POSIX doesn't define any async-signal-safe function for converting
202 // an integer to ASCII. Define our own version.
203 //
204 // This also gives us the ability to make the function a little more
205 // powerful and have it deal with |padding|, with truncation, and with
206 // predicting the length of the untruncated output.
207 //
208 // IToASCII() converts an integer |i| to ASCII.
209 //
210 // Unlike similar functions in the standard C library, it never appends a
211 // NUL character. This is left for the caller to do.
212 //
213 // While the function signature takes a signed int64_t, the code decides at
214 // run-time whether to treat the argument as signed (int64_t) or as unsigned
215 // (uint64_t) based on the value of |sign|.
216 //
217 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
218 // a |sign|. Otherwise, |i| is treated as unsigned.
219 //
220 // For bases larger than 10, |upcase| decides whether lower-case or upper-
221 // case letters should be used to designate digits greater than 10.
222 //
223 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
224 // be positive and will always be applied to the left of the output.
225 //
226 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
227 // the left of |padding|, if |pad| is '0'; and to the right of |padding|
228 // if |pad| is ' '.
229 //
230 // Returns "false", if the |buffer_| overflowed at any time.
231 bool IToASCII(bool sign,
232 bool upcase,
233 int64_t i,
234 size_t base,
235 char pad,
236 size_t padding,
237 const char* prefix);
238
239 private:
240 // Increments |count_| by |inc| unless this would cause |count_| to
241 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
242 // it then clamps |count_| to |kSSizeMax-1|.
IncrementCount(size_t inc)243 inline bool IncrementCount(size_t inc) {
244 // "inc" is either 1 or a "padding" value. Padding is clamped at
245 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
246 // the range 1..kSSizeMax-1.
247 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
248 // integer overflows.
249 DEBUG_CHECK(inc <= kSSizeMax - 1);
250 if (count_ > kSSizeMax - 1 - inc) {
251 count_ = kSSizeMax - 1;
252 return false;
253 }
254 count_ += inc;
255 return true;
256 }
257
258 // Convenience method for the common case of incrementing |count_| by one.
IncrementCountByOne()259 inline bool IncrementCountByOne() {
260 return IncrementCount(1);
261 }
262
263 // Return the current insertion point into the buffer. This is typically
264 // at |buffer_| + |count_|, but could be before that if truncation
265 // happened. It always points to one byte past the last byte that was
266 // successfully placed into the |buffer_|.
GetInsertionPoint() const267 inline char* GetInsertionPoint() const {
268 size_t idx = count_;
269 if (idx > size_) {
270 idx = size_;
271 }
272 return buffer_ + idx;
273 }
274
275 // User-provided buffer that will receive the fully formatted output string.
276 raw_ptr<char, AllowPtrArithmetic> buffer_;
277
278 // Number of bytes that are available in the buffer excluding the trailing
279 // NUL byte that will be added by the destructor.
280 const size_t size_;
281
282 // Number of bytes that would have been emitted to the buffer, if the buffer
283 // was sufficiently big. This number always excludes the trailing NUL byte
284 // and it is guaranteed to never grow bigger than kSSizeMax-1.
285 size_t count_;
286 };
287
IToASCII(bool sign,bool upcase,int64_t i,size_t base,char pad,size_t padding,const char * prefix)288 bool Buffer::IToASCII(bool sign,
289 bool upcase,
290 int64_t i,
291 size_t base,
292 char pad,
293 size_t padding,
294 const char* prefix) {
295 // Sanity check for parameters. None of these should ever fail, but see
296 // above for the rationale why we can't call CHECK().
297 DEBUG_CHECK(base >= 2);
298 DEBUG_CHECK(base <= 16);
299 DEBUG_CHECK(!sign || base == 10);
300 DEBUG_CHECK(pad == '0' || pad == ' ');
301 DEBUG_CHECK(padding <= kSSizeMax);
302 DEBUG_CHECK(!(sign && prefix && *prefix));
303
304 // Handle negative numbers, if the caller indicated that |i| should be
305 // treated as a signed number; otherwise treat |i| as unsigned (even if the
306 // MSB is set!)
307 // Details are tricky, because of limited data-types, but equivalent pseudo-
308 // code would look like:
309 // if (sign && i < 0)
310 // prefix = "-";
311 // num = abs(i);
312 size_t minint = 0;
313 uint64_t num;
314 if (sign && i < 0) {
315 prefix = "-";
316
317 // Turn our number positive.
318 if (i == std::numeric_limits<int64_t>::min()) {
319 // The most negative integer needs special treatment.
320 minint = 1;
321 num = static_cast<uint64_t>(-(i + 1));
322 } else {
323 // "Normal" negative numbers are easy.
324 num = static_cast<uint64_t>(-i);
325 }
326 } else {
327 num = static_cast<uint64_t>(i);
328 }
329
330 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
331 // make the prefix accessible in reverse order, so that we can later output
332 // it right between padding and the number.
333 // We cannot choose the easier approach of just reversing the number, as that
334 // fails in situations where we need to truncate numbers that have padding
335 // and/or prefixes.
336 const char* reverse_prefix = nullptr;
337 if (prefix && *prefix) {
338 if (pad == '0') {
339 while (*prefix) {
340 if (padding) {
341 --padding;
342 }
343 Out(*prefix++);
344 }
345 prefix = nullptr;
346 } else {
347 for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
348 }
349 }
350 } else
351 prefix = nullptr;
352 const size_t prefix_length = static_cast<size_t>(reverse_prefix - prefix);
353
354 // Loop until we have converted the entire number. Output at least one
355 // character (i.e. '0').
356 size_t start = count_;
357 size_t discarded = 0;
358 bool started = false;
359 do {
360 // Make sure there is still enough space left in our output buffer.
361 if (count_ >= size_) {
362 if (start < size_) {
363 // It is rare that we need to output a partial number. But if asked
364 // to do so, we will still make sure we output the correct number of
365 // leading digits.
366 // Since we are generating the digits in reverse order, we actually
367 // have to discard digits in the order that we have already emitted
368 // them. This is essentially equivalent to:
369 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
370 for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
371 move < end;
372 ++move) {
373 *move = move[1];
374 }
375 ++discarded;
376 --count_;
377 } else if (count_ - size_ > 1) {
378 // Need to increment either |count_| or |discarded| to make progress.
379 // The latter is more efficient, as it eventually triggers fast
380 // handling of padding. But we have to ensure we don't accidentally
381 // change the overall state (i.e. switch the state-machine from
382 // discarding to non-discarding). |count_| needs to always stay
383 // bigger than |size_|.
384 --count_;
385 ++discarded;
386 }
387 }
388
389 // Output the next digit and (if necessary) compensate for the most
390 // negative integer needing special treatment. This works because,
391 // no matter the bit width of the integer, the lowest-most decimal
392 // integer always ends in 2, 4, 6, or 8.
393 if (!num && started) {
394 if (reverse_prefix > prefix) {
395 Out(*--reverse_prefix);
396 } else {
397 Out(pad);
398 }
399 } else {
400 started = true;
401 Out((upcase ? kUpCaseHexDigits
402 : kDownCaseHexDigits)[num % base + minint]);
403 }
404
405 minint = 0;
406 num /= base;
407
408 // Add padding, if requested.
409 if (padding > 0) {
410 --padding;
411
412 // Performance optimization for when we are asked to output excessive
413 // padding, but our output buffer is limited in size. Even if we output
414 // a 64bit number in binary, we would never write more than 64 plus
415 // prefix non-padding characters. So, once this limit has been passed,
416 // any further state change can be computed arithmetically; we know that
417 // by this time, our entire final output consists of padding characters
418 // that have all already been output.
419 if (discarded > 8*sizeof(num) + prefix_length) {
420 IncrementCount(padding);
421 padding = 0;
422 }
423 }
424 } while (num || padding || (reverse_prefix > prefix));
425
426 if (start < size_) {
427 // Conversion to ASCII actually resulted in the digits being in reverse
428 // order. We can't easily generate them in forward order, as we can't tell
429 // the number of characters needed until we are done converting.
430 // So, now, we reverse the string (except for the possible '-' sign).
431 char* front = buffer_ + start;
432 char* back = GetInsertionPoint();
433 while (--back > front) {
434 char ch = *back;
435 *back = *front;
436 *front++ = ch;
437 }
438 }
439 IncrementCount(discarded);
440 return !discarded;
441 }
442
443 } // anonymous namespace
444
445 namespace internal {
446
SafeSNPrintf(char * buf,size_t sz,const char * fmt,const Arg * args,const size_t max_args)447 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
448 const size_t max_args) {
449 // Make sure that at least one NUL byte can be written, and that the buffer
450 // never overflows kSSizeMax. Not only does that use up most or all of the
451 // address space, it also would result in a return code that cannot be
452 // represented.
453 if (static_cast<ssize_t>(sz) < 1)
454 return -1;
455 sz = std::min(sz, kSSizeMax);
456
457 // Iterate over format string and interpret '%' arguments as they are
458 // encountered.
459 Buffer buffer(buf, sz);
460 size_t padding;
461 char pad;
462 for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
463 if (*fmt++ == '%') {
464 padding = 0;
465 pad = ' ';
466 char ch = *fmt++;
467 format_character_found:
468 switch (ch) {
469 case '0': case '1': case '2': case '3': case '4':
470 case '5': case '6': case '7': case '8': case '9':
471 // Found a width parameter. Convert to an integer value and store in
472 // "padding". If the leading digit is a zero, change the padding
473 // character from a space ' ' to a zero '0'.
474 pad = ch == '0' ? '0' : ' ';
475 for (;;) {
476 const size_t digit = static_cast<size_t>(ch - '0');
477 // The maximum allowed padding fills all the available address
478 // space and leaves just enough space to insert the trailing NUL.
479 const size_t max_padding = kSSizeMax - 1;
480 if (padding > max_padding / 10 ||
481 10 * padding > max_padding - digit) {
482 DEBUG_CHECK(padding <= max_padding / 10 &&
483 10 * padding <= max_padding - digit);
484 // Integer overflow detected. Skip the rest of the width until
485 // we find the format character, then do the normal error handling.
486 padding_overflow:
487 padding = max_padding;
488 while ((ch = *fmt++) >= '0' && ch <= '9') {
489 }
490 if (cur_arg < max_args) {
491 ++cur_arg;
492 }
493 goto fail_to_expand;
494 }
495 padding = 10 * padding + digit;
496 if (padding > max_padding) {
497 // This doesn't happen for "sane" values of kSSizeMax. But once
498 // kSSizeMax gets smaller than about 10, our earlier range checks
499 // are incomplete. Unittests do trigger this artificial corner
500 // case.
501 DEBUG_CHECK(padding <= max_padding);
502 goto padding_overflow;
503 }
504 ch = *fmt++;
505 if (ch < '0' || ch > '9') {
506 // Reached the end of the width parameter. This is where the format
507 // character is found.
508 goto format_character_found;
509 }
510 }
511 case 'c': { // Output an ASCII character.
512 // Check that there are arguments left to be inserted.
513 if (cur_arg >= max_args) {
514 DEBUG_CHECK(cur_arg < max_args);
515 goto fail_to_expand;
516 }
517
518 // Check that the argument has the expected type.
519 const Arg& arg = args[cur_arg++];
520 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
521 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
522 goto fail_to_expand;
523 }
524
525 // Apply padding, if needed.
526 buffer.Pad(' ', padding, 1);
527
528 // Convert the argument to an ASCII character and output it.
529 char as_char = static_cast<char>(arg.integer.i);
530 if (!as_char) {
531 goto end_of_output_buffer;
532 }
533 buffer.Out(as_char);
534 break; }
535 case 'd': // Output a possibly signed decimal value.
536 case 'o': // Output an unsigned octal value.
537 case 'x': // Output an unsigned hexadecimal value.
538 case 'X':
539 case 'p': { // Output a pointer value.
540 // Check that there are arguments left to be inserted.
541 if (cur_arg >= max_args) {
542 DEBUG_CHECK(cur_arg < max_args);
543 goto fail_to_expand;
544 }
545
546 const Arg& arg = args[cur_arg++];
547 int64_t i;
548 const char* prefix = nullptr;
549 if (ch != 'p') {
550 // Check that the argument has the expected type.
551 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
552 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
553 goto fail_to_expand;
554 }
555 i = arg.integer.i;
556
557 if (ch != 'd') {
558 // The Arg() constructor automatically performed sign expansion on
559 // signed parameters. This is great when outputting a %d decimal
560 // number, but can result in unexpected leading 0xFF bytes when
561 // outputting a %x hexadecimal number. Mask bits, if necessary.
562 // We have to do this here, instead of in the Arg() constructor, as
563 // the Arg() constructor cannot tell whether we will output a %d
564 // or a %x. Only the latter should experience masking.
565 if (arg.integer.width < sizeof(int64_t)) {
566 i &= (1LL << (8*arg.integer.width)) - 1;
567 }
568 }
569 } else {
570 // Pointer values require an actual pointer or a string.
571 if (arg.type == Arg::POINTER) {
572 i = static_cast<int64_t>(reinterpret_cast<uintptr_t>(arg.ptr));
573 } else if (arg.type == Arg::STRING) {
574 i = static_cast<int64_t>(reinterpret_cast<uintptr_t>(arg.str));
575 } else if (arg.type == Arg::INT &&
576 arg.integer.width == sizeof(NULL) &&
577 arg.integer.i == 0) { // Allow C++'s version of NULL
578 i = 0;
579 } else {
580 DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
581 goto fail_to_expand;
582 }
583
584 // Pointers always include the "0x" prefix.
585 prefix = "0x";
586 }
587
588 // Use IToASCII() to convert to ASCII representation. For decimal
589 // numbers, optionally print a sign. For hexadecimal numbers,
590 // distinguish between upper and lower case. %p addresses are always
591 // printed as upcase. Supports base 8, 10, and 16. Prints padding
592 // and/or prefixes, if so requested.
593 buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
594 ch != 'x', i,
595 ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
596 pad, padding, prefix);
597 break; }
598 case 's': {
599 // Check that there are arguments left to be inserted.
600 if (cur_arg >= max_args) {
601 DEBUG_CHECK(cur_arg < max_args);
602 goto fail_to_expand;
603 }
604
605 // Check that the argument has the expected type.
606 const Arg& arg = args[cur_arg++];
607 const char *s;
608 if (arg.type == Arg::STRING) {
609 s = arg.str ? arg.str : "<NULL>";
610 } else if (arg.type == Arg::INT && arg.integer.width == sizeof(NULL) &&
611 arg.integer.i == 0) { // Allow C++'s version of NULL
612 s = "<NULL>";
613 } else {
614 DEBUG_CHECK(arg.type == Arg::STRING);
615 goto fail_to_expand;
616 }
617
618 // Apply padding, if needed. This requires us to first check the
619 // length of the string that we are outputting.
620 if (padding) {
621 size_t len = 0;
622 for (const char* src = s; *src++; ) {
623 ++len;
624 }
625 buffer.Pad(' ', padding, len);
626 }
627
628 // Printing a string involves nothing more than copying it into the
629 // output buffer and making sure we don't output more bytes than
630 // available space; Out() takes care of doing that.
631 for (const char* src = s; *src; ) {
632 buffer.Out(*src++);
633 }
634 break; }
635 case '%':
636 // Quoted percent '%' character.
637 goto copy_verbatim;
638 fail_to_expand:
639 // C++ gives us tools to do type checking -- something that snprintf()
640 // could never really do. So, whenever we see arguments that don't
641 // match up with the format string, we refuse to output them. But
642 // since we have to be extremely conservative about being async-
643 // signal-safe, we are limited in the type of error handling that we
644 // can do in production builds (in debug builds we can use
645 // DEBUG_CHECK() and hope for the best). So, all we do is pass the
646 // format string unchanged. That should eventually get the user's
647 // attention; and in the meantime, it hopefully doesn't lose too much
648 // data.
649 default:
650 // Unknown or unsupported format character. Just copy verbatim to
651 // output.
652 buffer.Out('%');
653 DEBUG_CHECK(ch);
654 if (!ch) {
655 goto end_of_format_string;
656 }
657 buffer.Out(ch);
658 break;
659 }
660 } else {
661 copy_verbatim:
662 buffer.Out(fmt[-1]);
663 }
664 }
665 end_of_format_string:
666 end_of_output_buffer:
667 return buffer.GetCount();
668 }
669
670 } // namespace internal
671
SafeSNPrintf(char * buf,size_t sz,const char * fmt)672 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
673 // Make sure that at least one NUL byte can be written, and that the buffer
674 // never overflows kSSizeMax. Not only does that use up most or all of the
675 // address space, it also would result in a return code that cannot be
676 // represented.
677 if (static_cast<ssize_t>(sz) < 1)
678 return -1;
679 sz = std::min(sz, kSSizeMax);
680
681 Buffer buffer(buf, sz);
682
683 // In the slow-path, we deal with errors by copying the contents of
684 // "fmt" unexpanded. This means, if there are no arguments passed, the
685 // SafeSPrintf() function always degenerates to a version of strncpy() that
686 // de-duplicates '%' characters.
687 const char* src = fmt;
688 for (; *src; ++src) {
689 buffer.Out(*src);
690 DEBUG_CHECK(src[0] != '%' || src[1] == '%');
691 if (src[0] == '%' && src[1] == '%') {
692 ++src;
693 }
694 }
695 return buffer.GetCount();
696 }
697
698 } // namespace strings
699 } // namespace base
700