1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifdef UNSAFE_BUFFERS_BUILD 6 // TODO(crbug.com/40284755): Remove this and spanify to fix the errors. 7 #pragma allow_unsafe_buffers 8 #endif 9 10 #ifndef BASE_PICKLE_H_ 11 #define BASE_PICKLE_H_ 12 13 #include <stddef.h> 14 #include <stdint.h> 15 16 #include <optional> 17 #include <string> 18 #include <string_view> 19 20 #include "base/base_export.h" 21 #include "base/check_op.h" 22 #include "base/compiler_specific.h" 23 #include "base/containers/checked_iterators.h" 24 #include "base/containers/span.h" 25 #include "base/gtest_prod_util.h" 26 #include "base/memory/raw_ptr_exclusion.h" 27 #include "base/memory/ref_counted.h" 28 29 namespace base { 30 31 class Pickle; 32 33 // PickleIterator reads data from a Pickle. The Pickle object must remain valid 34 // while the PickleIterator object is in use. 35 class BASE_EXPORT PickleIterator { 36 public: PickleIterator()37 PickleIterator() : payload_(nullptr), read_index_(0), end_index_(0) {} 38 explicit PickleIterator(const Pickle& pickle); 39 40 // Methods for reading the payload of the Pickle. To read from the start of 41 // the Pickle, create a PickleIterator from a Pickle. If successful, these 42 // methods return true. Otherwise, false is returned to indicate that the 43 // result could not be extracted. It is not possible to read from the iterator 44 // after that. 45 [[nodiscard]] bool ReadBool(bool* result); 46 [[nodiscard]] bool ReadInt(int* result); 47 [[nodiscard]] bool ReadLong(long* result); 48 [[nodiscard]] bool ReadUInt16(uint16_t* result); 49 [[nodiscard]] bool ReadUInt32(uint32_t* result); 50 [[nodiscard]] bool ReadInt64(int64_t* result); 51 [[nodiscard]] bool ReadUInt64(uint64_t* result); 52 [[nodiscard]] bool ReadFloat(float* result); 53 [[nodiscard]] bool ReadDouble(double* result); 54 [[nodiscard]] bool ReadString(std::string* result); 55 // The std::string_view data will only be valid for the lifetime of the 56 // message. 57 [[nodiscard]] bool ReadStringPiece(std::string_view* result); 58 [[nodiscard]] bool ReadString16(std::u16string* result); 59 // The std::u16string_view data will only be valid for the lifetime of the 60 // message. 61 [[nodiscard]] bool ReadStringPiece16(std::u16string_view* result); 62 63 // A pointer to the data will be placed in |*data|, and the length will be 64 // placed in |*length|. The pointer placed into |*data| points into the 65 // message's buffer so it will be scoped to the lifetime of the message (or 66 // until the message data is mutated). Do not keep the pointer around! 67 [[nodiscard]] bool ReadData(const char** data, size_t* length); 68 69 // Similar, but using span for convenience. 70 [[nodiscard]] std::optional<span<const uint8_t>> ReadData(); 71 72 // A pointer to the data will be placed in |*data|. The caller specifies the 73 // number of bytes to read, and ReadBytes will validate this length. The 74 // pointer placed into |*data| points into the message's buffer so it will be 75 // scoped to the lifetime of the message (or until the message data is 76 // mutated). Do not keep the pointer around! 77 [[nodiscard]] bool ReadBytes(const char** data, size_t length); 78 79 // A version of ReadInt() that checks for the result not being negative. Use 80 // it for reading the object sizes. ReadLength(size_t * result)81 [[nodiscard]] bool ReadLength(size_t* result) { 82 int result_int; 83 if (!ReadInt(&result_int) || result_int < 0) 84 return false; 85 *result = static_cast<size_t>(result_int); 86 return true; 87 } 88 89 // Skips bytes in the read buffer and returns true if there are at least 90 // num_bytes available. Otherwise, does nothing and returns false. SkipBytes(size_t num_bytes)91 [[nodiscard]] bool SkipBytes(size_t num_bytes) { 92 return !!GetReadPointerAndAdvance(num_bytes); 93 } 94 ReachedEnd()95 bool ReachedEnd() const { return read_index_ == end_index_; } 96 97 private: 98 // Read Type from Pickle. 99 template <typename Type> 100 bool ReadBuiltinType(Type* result); 101 102 // Advance read_index_ but do not allow it to exceed end_index_. 103 // Keeps read_index_ aligned. 104 void Advance(size_t size); 105 106 // Get read pointer for Type and advance read pointer. 107 template<typename Type> 108 const char* GetReadPointerAndAdvance(); 109 110 // Get read pointer for |num_bytes| and advance read pointer. This method 111 // checks num_bytes for wrapping. 112 const char* GetReadPointerAndAdvance(size_t num_bytes); 113 114 // Get read pointer for (num_elements * size_element) bytes and advance read 115 // pointer. This method checks for overflow and wrapping. 116 const char* GetReadPointerAndAdvance(size_t num_elements, 117 size_t size_element); 118 119 const char* payload_; // Start of our pickle's payload. 120 size_t read_index_; // Offset of the next readable byte in payload. 121 size_t end_index_; // Payload size. 122 123 FRIEND_TEST_ALL_PREFIXES(PickleTest, GetReadPointerAndAdvance); 124 }; 125 126 // This class provides facilities for basic binary value packing and unpacking. 127 // 128 // The Pickle class supports appending primitive values (ints, strings, etc.) 129 // to a pickle instance. The Pickle instance grows its internal memory buffer 130 // dynamically to hold the sequence of primitive values. The internal memory 131 // buffer is exposed as the "data" of the Pickle. This "data" can be passed 132 // to a Pickle object to initialize it for reading. 133 // 134 // When reading from a Pickle object, it is important for the consumer to know 135 // what value types to read and in what order to read them as the Pickle does 136 // not keep track of the type of data written to it. 137 // 138 // The Pickle's data has a header which contains the size of the Pickle's 139 // payload. It can optionally support additional space in the header. That 140 // space is controlled by the header_size parameter passed to the Pickle 141 // constructor. 142 // 143 class BASE_EXPORT Pickle { 144 public: 145 // Auxiliary data attached to a Pickle. Pickle must be subclassed along with 146 // this interface in order to provide a concrete implementation of support 147 // for attachments. The base Pickle implementation does not accept 148 // attachments. 149 class BASE_EXPORT Attachment : public RefCountedThreadSafe<Attachment> { 150 public: 151 Attachment(); 152 Attachment(const Attachment&) = delete; 153 Attachment& operator=(const Attachment&) = delete; 154 155 protected: 156 friend class RefCountedThreadSafe<Attachment>; 157 virtual ~Attachment(); 158 }; 159 160 using iterator = CheckedContiguousIterator<const uint8_t>; 161 162 // Initialize a Pickle object using the default header size. 163 Pickle(); 164 165 // Initialize a Pickle object with the specified header size in bytes, which 166 // must be greater-than-or-equal-to `sizeof(Pickle::Header)`. The header size 167 // will be rounded up to ensure that the header size is 32bit-aligned. Note 168 // that the extra memory allocated due to the size difference between the 169 // requested header size and the size of a standard header is not initialized. 170 explicit Pickle(size_t header_size); 171 172 // Returns a Pickle initialized from a block of data. The Pickle obtained by 173 // this call makes a copy of the data from which it is initialized, so it is 174 // safe to pass around without concern for the pointer to the original data 175 // dangling. The header padding size is deduced from the data length. 176 static Pickle WithData(span<const uint8_t> data); 177 178 // Returns a Pickle initialized from a const block of data. The data is not 179 // copied, only referenced, which can be dangerous; please only use this 180 // initialization when the speed gain of not copying the data outweighs the 181 // danger of dangling pointers. If a Pickle is obtained from this call, it is 182 // a requirement that only const methods be called. The header padding size is 183 // deduced from the data length. 184 static Pickle WithUnownedBuffer(span<const uint8_t> data); 185 186 // Initializes a Pickle as a copy of another Pickle. If the original Pickle's 187 // data is unowned, the copy will have its own internalized copy of the data. 188 Pickle(const Pickle& other); 189 190 // Note: Other classes are derived from this class, and they may well 191 // delete through this parent class, e.g. std::unique_ptr<Pickle> exists 192 // in several places the code. 193 virtual ~Pickle(); 194 195 // Performs a deep copy. 196 Pickle& operator=(const Pickle& other); 197 198 // Returns the number of bytes written in the Pickle, including the header. size()199 size_t size() const { 200 return header_ ? header_size_ + header_->payload_size : 0; 201 } 202 empty()203 bool empty() const { return !size(); } 204 205 // Returns the data for this Pickle. data()206 const uint8_t* data() const { 207 return reinterpret_cast<const uint8_t*>(header_); 208 } 209 210 // Handy method to simplify calling data() with a reinterpret_cast. data_as_char()211 const char* data_as_char() const { 212 return reinterpret_cast<const char*>(data()); 213 } 214 215 // Iteration. These allow `Pickle` to satisfy `std::ranges::contiguous_range`, 216 // which in turn allow it to be implicitly converted to a `span`. begin()217 iterator begin() const { 218 // SAFETY: `data()` always points to at least `size()` valid bytes, so this 219 // pointer is no further than just-past-the-end of the allocation. 220 return UNSAFE_BUFFERS(iterator(data(), data() + size())); 221 } end()222 iterator end() const { 223 // SAFETY: As in `begin()` above. 224 return UNSAFE_BUFFERS(iterator(data(), data() + size(), data() + size())); 225 } 226 227 // Returns the effective memory capacity of this Pickle, that is, the total 228 // number of bytes currently dynamically allocated or 0 in the case of a 229 // read-only Pickle. This should be used only for diagnostic / profiling 230 // purposes. 231 size_t GetTotalAllocatedSize() const; 232 233 // Methods for adding to the payload of the Pickle. These values are 234 // appended to the end of the Pickle's payload. When reading values from a 235 // Pickle, it is important to read them in the order in which they were added 236 // to the Pickle. 237 WriteBool(bool value)238 void WriteBool(bool value) { WriteInt(value ? 1 : 0); } WriteInt(int value)239 void WriteInt(int value) { WritePOD(value); } WriteLong(long value)240 void WriteLong(long value) { 241 // Always write long as a 64-bit value to ensure compatibility between 242 // 32-bit and 64-bit processes. 243 WritePOD(static_cast<int64_t>(value)); 244 } WriteUInt16(uint16_t value)245 void WriteUInt16(uint16_t value) { WritePOD(value); } WriteUInt32(uint32_t value)246 void WriteUInt32(uint32_t value) { WritePOD(value); } WriteInt64(int64_t value)247 void WriteInt64(int64_t value) { WritePOD(value); } WriteUInt64(uint64_t value)248 void WriteUInt64(uint64_t value) { WritePOD(value); } WriteFloat(float value)249 void WriteFloat(float value) { WritePOD(value); } WriteDouble(double value)250 void WriteDouble(double value) { WritePOD(value); } 251 void WriteString(std::string_view value); 252 void WriteString16(std::u16string_view value); 253 // "Data" is a blob with a length. When you read it out you will be given the 254 // length. See also WriteBytes. 255 // TODO(https://crbug.com/40284755): Migrate callers to the span versions. 256 void WriteData(const char* data, size_t length); 257 void WriteData(span<const uint8_t> data); 258 void WriteData(std::string_view data); 259 // "Bytes" is a blob with no length. The caller must specify the length both 260 // when reading and writing. It is normally used to serialize PoD types of a 261 // known size. See also WriteData. 262 // TODO(https://crbug.com/40284755): Migrate callers to the span version. 263 void WriteBytes(const void* data, size_t length); 264 void WriteBytes(span<const uint8_t> data); 265 266 // WriteAttachment appends |attachment| to the pickle. It returns 267 // false iff the set is full or if the Pickle implementation does not support 268 // attachments. 269 virtual bool WriteAttachment(scoped_refptr<Attachment> attachment); 270 271 // ReadAttachment parses an attachment given the parsing state |iter| and 272 // writes it to |*attachment|. It returns true on success. 273 virtual bool ReadAttachment(PickleIterator* iter, 274 scoped_refptr<Attachment>* attachment) const; 275 276 // Indicates whether the pickle has any attachments. 277 virtual bool HasAttachments() const; 278 279 // Reserves space for upcoming writes when multiple writes will be made and 280 // their sizes are computed in advance. It can be significantly faster to call 281 // Reserve() before calling WriteFoo() multiple times. 282 void Reserve(size_t additional_capacity); 283 284 // Payload follows after allocation of Header (header size is customizable). 285 struct Header { 286 uint32_t payload_size; // Specifies the size of the payload. 287 }; 288 289 // Returns the header, cast to a user-specified type T. The type T must be a 290 // subclass of Header and its size must correspond to the header_size passed 291 // to the Pickle constructor. 292 template <class T> headerT()293 T* headerT() { 294 DCHECK_EQ(header_size_, sizeof(T)); 295 return static_cast<T*>(header_); 296 } 297 template <class T> headerT()298 const T* headerT() const { 299 DCHECK_EQ(header_size_, sizeof(T)); 300 return static_cast<const T*>(header_); 301 } 302 303 // The payload is the pickle data immediately following the header. payload_size()304 size_t payload_size() const { 305 return header_ ? header_->payload_size : 0; 306 } 307 payload_bytes()308 span<const uint8_t> payload_bytes() const { 309 return as_bytes(span(payload(), payload_size())); 310 } 311 312 protected: 313 // The protected constructor. Note that this creates a Pickle that does not 314 // own its own data. 315 enum UnownedData { kUnownedData }; 316 explicit Pickle(UnownedData, span<const uint8_t> data); 317 318 // Returns size of the header, which can have default value, set by user or 319 // calculated by passed raw data. header_size()320 size_t header_size() const { return header_size_; } 321 payload()322 const char* payload() const { 323 return reinterpret_cast<const char*>(header_) + header_size_; 324 } 325 326 // Returns the address of the byte immediately following the currently valid 327 // header + payload. end_of_payload()328 const char* end_of_payload() const { 329 // This object may be invalid. 330 return header_ ? payload() + payload_size() : NULL; 331 } 332 mutable_payload()333 char* mutable_payload() { 334 return reinterpret_cast<char*>(header_) + header_size_; 335 } 336 capacity_after_header()337 size_t capacity_after_header() const { 338 return capacity_after_header_; 339 } 340 341 // Resize the capacity, note that the input value should not include the size 342 // of the header. 343 void Resize(size_t new_capacity); 344 345 // Claims |num_bytes| bytes of payload. This is similar to Reserve() in that 346 // it may grow the capacity, but it also advances the write offset of the 347 // pickle by |num_bytes|. Claimed memory, including padding, is zeroed. 348 // 349 // Returns the address of the first byte claimed. 350 void* ClaimBytes(size_t num_bytes); 351 352 // Find the end of the pickled data that starts at range_start. Returns NULL 353 // if the entire Pickle is not found in the given data range. 354 static const char* FindNext(size_t header_size, 355 const char* range_start, 356 const char* range_end); 357 358 // Parse pickle header and return total size of the pickle. Data range 359 // doesn't need to contain entire pickle. 360 // Returns true if pickle header was found and parsed. Callers must check 361 // returned |pickle_size| for sanity (against maximum message size, etc). 362 // NOTE: when function successfully parses a header, but encounters an 363 // overflow during pickle size calculation, it sets |pickle_size| to the 364 // maximum size_t value and returns true. 365 static bool PeekNext(size_t header_size, 366 const char* range_start, 367 const char* range_end, 368 size_t* pickle_size); 369 370 // The allocation granularity of the payload. 371 static const size_t kPayloadUnit; 372 373 private: 374 friend class PickleIterator; 375 376 // `header_` is not a raw_ptr<...> for performance reasons (based on analysis 377 // of sampling profiler data). 378 RAW_PTR_EXCLUSION Header* header_; 379 size_t header_size_; // Supports extra data between header and payload. 380 // Allocation size of payload (or -1 if allocation is const). Note: this 381 // doesn't count the header. 382 size_t capacity_after_header_; 383 // The offset at which we will write the next field. Note: this doesn't count 384 // the header. 385 size_t write_offset_; 386 387 // Just like WriteBytes, but with a compile-time size, for performance. 388 template<size_t length> void BASE_EXPORT WriteBytesStatic(const void* data); 389 390 // Writes a POD by copying its bytes. WritePOD(const T & data)391 template <typename T> bool WritePOD(const T& data) { 392 WriteBytesStatic<sizeof(data)>(&data); 393 return true; 394 } 395 396 inline void* ClaimUninitializedBytesInternal(size_t num_bytes); 397 inline void WriteBytesCommon(span<const uint8_t> data); 398 399 FRIEND_TEST_ALL_PREFIXES(PickleTest, DeepCopyResize); 400 FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize); 401 FRIEND_TEST_ALL_PREFIXES(PickleTest, PeekNext); 402 FRIEND_TEST_ALL_PREFIXES(PickleTest, PeekNextOverflow); 403 FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext); 404 FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader); 405 FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextOverflow); 406 }; 407 408 } // namespace base 409 410 #endif // BASE_PICKLE_H_ 411