1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/strings/safe_sprintf.h"
6
7 #include <errno.h>
8 #include <string.h>
9
10 #include <limits>
11
12 #include "base/macros.h"
13 #include "build/build_config.h"
14
15 #if !defined(NDEBUG)
16 // In debug builds, we use RAW_CHECK() to print useful error messages, if
17 // SafeSPrintf() is called with broken arguments.
18 // As our contract promises that SafeSPrintf() can be called from any
19 // restricted run-time context, it is not actually safe to call logging
20 // functions from it; and we only ever do so for debug builds and hope for the
21 // best. We should _never_ call any logging function other than RAW_CHECK(),
22 // and we should _never_ include any logging code that is active in production
23 // builds. Most notably, we should not include these logging functions in
24 // unofficial release builds, even though those builds would otherwise have
25 // DCHECKS() enabled.
26 // In other words; please do not remove the #ifdef around this #include.
27 // Instead, in production builds we opt for returning a degraded result,
28 // whenever an error is encountered.
29 // E.g. The broken function call
30 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
31 // will print something like
32 // errno = 13, (%x)
33 // instead of
34 // errno = 13 (Access denied)
35 // In most of the anticipated use cases, that's probably the preferred
36 // behavior.
37 #include "base/logging.h"
38 #define DEBUG_CHECK RAW_CHECK
39 #else
40 #define DEBUG_CHECK(x) do { if (x) { } } while (0)
41 #endif
42
43 namespace base {
44 namespace strings {
45
46 // The code in this file is extremely careful to be async-signal-safe.
47 //
48 // Most obviously, we avoid calling any code that could dynamically allocate
49 // memory. Doing so would almost certainly result in bugs and dead-locks.
50 // We also avoid calling any other STL functions that could have unintended
51 // side-effects involving memory allocation or access to other shared
52 // resources.
53 //
54 // But on top of that, we also avoid calling other library functions, as many
55 // of them have the side-effect of calling getenv() (in order to deal with
56 // localization) or accessing errno. The latter sounds benign, but there are
57 // several execution contexts where it isn't even possible to safely read let
58 // alone write errno.
59 //
60 // The stated design goal of the SafeSPrintf() function is that it can be
61 // called from any context that can safely call C or C++ code (i.e. anything
62 // that doesn't require assembly code).
63 //
64 // For a brief overview of some but not all of the issues with async-signal-
65 // safety, refer to:
66 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
67
68 namespace {
69 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
70
71 const char kUpCaseHexDigits[] = "0123456789ABCDEF";
72 const char kDownCaseHexDigits[] = "0123456789abcdef";
73 }
74
75 #if defined(NDEBUG)
76 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
77 // but C++ doesn't allow us to do that for constants. Instead, we have to
78 // use careful casting and shifting. We later use a static_assert to
79 // verify that this worked correctly.
80 namespace {
81 const size_t kSSizeMax = kSSizeMaxConst;
82 }
83 #else // defined(NDEBUG)
84 // For efficiency, we really need kSSizeMax to be a constant. But for unit
85 // tests, it should be adjustable. This allows us to verify edge cases without
86 // having to fill the entire available address space. As a compromise, we make
87 // kSSizeMax adjustable in debug builds, and then only compile that particular
88 // part of the unit test in debug builds.
89 namespace {
90 static size_t kSSizeMax = kSSizeMaxConst;
91 }
92
93 namespace internal {
SetSafeSPrintfSSizeMaxForTest(size_t max)94 void SetSafeSPrintfSSizeMaxForTest(size_t max) {
95 kSSizeMax = max;
96 }
97
GetSafeSPrintfSSizeMaxForTest()98 size_t GetSafeSPrintfSSizeMaxForTest() {
99 return kSSizeMax;
100 }
101 }
102 #endif // defined(NDEBUG)
103
104 namespace {
105 class Buffer {
106 public:
107 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
108 // has |size| bytes of writable storage. It is the caller's responsibility
109 // to ensure that the buffer is at least one byte in size, so that it fits
110 // the trailing NUL that will be added by the destructor. The buffer also
111 // must be smaller or equal to kSSizeMax in size.
Buffer(char * buffer,size_t size)112 Buffer(char* buffer, size_t size)
113 : buffer_(buffer),
114 size_(size - 1), // Account for trailing NUL byte
115 count_(0) {
116 // MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
117 // supports static_cast but doesn't really implement constexpr yet so it doesn't
118 // complain, but clang does.
119 #if __cplusplus >= 201103 && !(defined(__clang__) && defined(OS_WIN))
120 static_assert(kSSizeMaxConst ==
121 static_cast<size_t>(std::numeric_limits<ssize_t>::max()),
122 "kSSizeMaxConst should be the max value of an ssize_t");
123 #endif
124 DEBUG_CHECK(size > 0);
125 DEBUG_CHECK(size <= kSSizeMax);
126 }
127
~Buffer()128 ~Buffer() {
129 // The code calling the constructor guaranteed that there was enough space
130 // to store a trailing NUL -- and in debug builds, we are actually
131 // verifying this with DEBUG_CHECK()s in the constructor. So, we can
132 // always unconditionally write the NUL byte in the destructor. We do not
133 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
134 // including the NUL byte in its return code.
135 *GetInsertionPoint() = '\000';
136 }
137
138 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
139 // caller can now stop adding more data, as GetCount() has reached its
140 // maximum possible value.
OutOfAddressableSpace() const141 inline bool OutOfAddressableSpace() const {
142 return count_ == static_cast<size_t>(kSSizeMax - 1);
143 }
144
145 // Returns the number of bytes that would have been emitted to |buffer_|
146 // if it was sized sufficiently large. This number can be larger than
147 // |size_|, if the caller provided an insufficiently large output buffer.
148 // But it will never be bigger than |kSSizeMax-1|.
GetCount() const149 inline ssize_t GetCount() const {
150 DEBUG_CHECK(count_ < kSSizeMax);
151 return static_cast<ssize_t>(count_);
152 }
153
154 // Emits one |ch| character into the |buffer_| and updates the |count_| of
155 // characters that are currently supposed to be in the buffer.
156 // Returns "false", iff the buffer was already full.
157 // N.B. |count_| increases even if no characters have been written. This is
158 // needed so that GetCount() can return the number of bytes that should
159 // have been allocated for the |buffer_|.
Out(char ch)160 inline bool Out(char ch) {
161 if (size_ >= 1 && count_ < size_) {
162 buffer_[count_] = ch;
163 return IncrementCountByOne();
164 }
165 // |count_| still needs to be updated, even if the buffer has been
166 // filled completely. This allows SafeSPrintf() to return the number of
167 // bytes that should have been emitted.
168 IncrementCountByOne();
169 return false;
170 }
171
172 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
173 // |count_| will also be incremented by the number of bytes that were meant
174 // to be emitted. The |pad| character is typically either a ' ' space
175 // or a '0' zero, but other non-NUL values are legal.
176 // Returns "false", iff the the |buffer_| filled up (i.e. |count_|
177 // overflowed |size_|) at any time during padding.
Pad(char pad,size_t padding,size_t len)178 inline bool Pad(char pad, size_t padding, size_t len) {
179 DEBUG_CHECK(pad);
180 DEBUG_CHECK(padding <= kSSizeMax);
181 for (; padding > len; --padding) {
182 if (!Out(pad)) {
183 if (--padding) {
184 IncrementCount(padding-len);
185 }
186 return false;
187 }
188 }
189 return true;
190 }
191
192 // POSIX doesn't define any async-signal-safe function for converting
193 // an integer to ASCII. Define our own version.
194 //
195 // This also gives us the ability to make the function a little more
196 // powerful and have it deal with |padding|, with truncation, and with
197 // predicting the length of the untruncated output.
198 //
199 // IToASCII() converts an integer |i| to ASCII.
200 //
201 // Unlike similar functions in the standard C library, it never appends a
202 // NUL character. This is left for the caller to do.
203 //
204 // While the function signature takes a signed int64_t, the code decides at
205 // run-time whether to treat the argument as signed (int64_t) or as unsigned
206 // (uint64_t) based on the value of |sign|.
207 //
208 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
209 // a |sign|. Otherwise, |i| is treated as unsigned.
210 //
211 // For bases larger than 10, |upcase| decides whether lower-case or upper-
212 // case letters should be used to designate digits greater than 10.
213 //
214 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
215 // be positive and will always be applied to the left of the output.
216 //
217 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
218 // the left of |padding|, if |pad| is '0'; and to the right of |padding|
219 // if |pad| is ' '.
220 //
221 // Returns "false", if the |buffer_| overflowed at any time.
222 bool IToASCII(bool sign, bool upcase, int64_t i, int base,
223 char pad, size_t padding, const char* prefix);
224
225 private:
226 // Increments |count_| by |inc| unless this would cause |count_| to
227 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
228 // it then clamps |count_| to |kSSizeMax-1|.
IncrementCount(size_t inc)229 inline bool IncrementCount(size_t inc) {
230 // "inc" is either 1 or a "padding" value. Padding is clamped at
231 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
232 // the range 1..kSSizeMax-1.
233 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
234 // integer overflows.
235 DEBUG_CHECK(inc <= kSSizeMax - 1);
236 if (count_ > kSSizeMax - 1 - inc) {
237 count_ = kSSizeMax - 1;
238 return false;
239 } else {
240 count_ += inc;
241 return true;
242 }
243 }
244
245 // Convenience method for the common case of incrementing |count_| by one.
IncrementCountByOne()246 inline bool IncrementCountByOne() {
247 return IncrementCount(1);
248 }
249
250 // Return the current insertion point into the buffer. This is typically
251 // at |buffer_| + |count_|, but could be before that if truncation
252 // happened. It always points to one byte past the last byte that was
253 // successfully placed into the |buffer_|.
GetInsertionPoint() const254 inline char* GetInsertionPoint() const {
255 size_t idx = count_;
256 if (idx > size_) {
257 idx = size_;
258 }
259 return buffer_ + idx;
260 }
261
262 // User-provided buffer that will receive the fully formatted output string.
263 char* buffer_;
264
265 // Number of bytes that are available in the buffer excluding the trailing
266 // NUL byte that will be added by the destructor.
267 const size_t size_;
268
269 // Number of bytes that would have been emitted to the buffer, if the buffer
270 // was sufficiently big. This number always excludes the trailing NUL byte
271 // and it is guaranteed to never grow bigger than kSSizeMax-1.
272 size_t count_;
273
274 DISALLOW_COPY_AND_ASSIGN(Buffer);
275 };
276
277
IToASCII(bool sign,bool upcase,int64_t i,int base,char pad,size_t padding,const char * prefix)278 bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base,
279 char pad, size_t padding, const char* prefix) {
280 // Sanity check for parameters. None of these should ever fail, but see
281 // above for the rationale why we can't call CHECK().
282 DEBUG_CHECK(base >= 2);
283 DEBUG_CHECK(base <= 16);
284 DEBUG_CHECK(!sign || base == 10);
285 DEBUG_CHECK(pad == '0' || pad == ' ');
286 DEBUG_CHECK(padding <= kSSizeMax);
287 DEBUG_CHECK(!(sign && prefix && *prefix));
288
289 // Handle negative numbers, if the caller indicated that |i| should be
290 // treated as a signed number; otherwise treat |i| as unsigned (even if the
291 // MSB is set!)
292 // Details are tricky, because of limited data-types, but equivalent pseudo-
293 // code would look like:
294 // if (sign && i < 0)
295 // prefix = "-";
296 // num = abs(i);
297 int minint = 0;
298 uint64_t num;
299 if (sign && i < 0) {
300 prefix = "-";
301
302 // Turn our number positive.
303 if (i == std::numeric_limits<int64_t>::min()) {
304 // The most negative integer needs special treatment.
305 minint = 1;
306 num = static_cast<uint64_t>(-(i + 1));
307 } else {
308 // "Normal" negative numbers are easy.
309 num = static_cast<uint64_t>(-i);
310 }
311 } else {
312 num = static_cast<uint64_t>(i);
313 }
314
315 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
316 // make the prefix accessible in reverse order, so that we can later output
317 // it right between padding and the number.
318 // We cannot choose the easier approach of just reversing the number, as that
319 // fails in situations where we need to truncate numbers that have padding
320 // and/or prefixes.
321 const char* reverse_prefix = NULL;
322 if (prefix && *prefix) {
323 if (pad == '0') {
324 while (*prefix) {
325 if (padding) {
326 --padding;
327 }
328 Out(*prefix++);
329 }
330 prefix = NULL;
331 } else {
332 for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
333 }
334 }
335 } else
336 prefix = NULL;
337 const size_t prefix_length = reverse_prefix - prefix;
338
339 // Loop until we have converted the entire number. Output at least one
340 // character (i.e. '0').
341 size_t start = count_;
342 size_t discarded = 0;
343 bool started = false;
344 do {
345 // Make sure there is still enough space left in our output buffer.
346 if (count_ >= size_) {
347 if (start < size_) {
348 // It is rare that we need to output a partial number. But if asked
349 // to do so, we will still make sure we output the correct number of
350 // leading digits.
351 // Since we are generating the digits in reverse order, we actually
352 // have to discard digits in the order that we have already emitted
353 // them. This is essentially equivalent to:
354 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
355 for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
356 move < end;
357 ++move) {
358 *move = move[1];
359 }
360 ++discarded;
361 --count_;
362 } else if (count_ - size_ > 1) {
363 // Need to increment either |count_| or |discarded| to make progress.
364 // The latter is more efficient, as it eventually triggers fast
365 // handling of padding. But we have to ensure we don't accidentally
366 // change the overall state (i.e. switch the state-machine from
367 // discarding to non-discarding). |count_| needs to always stay
368 // bigger than |size_|.
369 --count_;
370 ++discarded;
371 }
372 }
373
374 // Output the next digit and (if necessary) compensate for the most
375 // negative integer needing special treatment. This works because,
376 // no matter the bit width of the integer, the lowest-most decimal
377 // integer always ends in 2, 4, 6, or 8.
378 if (!num && started) {
379 if (reverse_prefix > prefix) {
380 Out(*--reverse_prefix);
381 } else {
382 Out(pad);
383 }
384 } else {
385 started = true;
386 Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]);
387 }
388
389 minint = 0;
390 num /= base;
391
392 // Add padding, if requested.
393 if (padding > 0) {
394 --padding;
395
396 // Performance optimization for when we are asked to output excessive
397 // padding, but our output buffer is limited in size. Even if we output
398 // a 64bit number in binary, we would never write more than 64 plus
399 // prefix non-padding characters. So, once this limit has been passed,
400 // any further state change can be computed arithmetically; we know that
401 // by this time, our entire final output consists of padding characters
402 // that have all already been output.
403 if (discarded > 8*sizeof(num) + prefix_length) {
404 IncrementCount(padding);
405 padding = 0;
406 }
407 }
408 } while (num || padding || (reverse_prefix > prefix));
409
410 // Conversion to ASCII actually resulted in the digits being in reverse
411 // order. We can't easily generate them in forward order, as we can't tell
412 // the number of characters needed until we are done converting.
413 // So, now, we reverse the string (except for the possible '-' sign).
414 char* front = buffer_ + start;
415 char* back = GetInsertionPoint();
416 while (--back > front) {
417 char ch = *back;
418 *back = *front;
419 *front++ = ch;
420 }
421
422 IncrementCount(discarded);
423 return !discarded;
424 }
425
426 } // anonymous namespace
427
428 namespace internal {
429
SafeSNPrintf(char * buf,size_t sz,const char * fmt,const Arg * args,const size_t max_args)430 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
431 const size_t max_args) {
432 // Make sure that at least one NUL byte can be written, and that the buffer
433 // never overflows kSSizeMax. Not only does that use up most or all of the
434 // address space, it also would result in a return code that cannot be
435 // represented.
436 if (static_cast<ssize_t>(sz) < 1) {
437 return -1;
438 } else if (sz > kSSizeMax) {
439 sz = kSSizeMax;
440 }
441
442 // Iterate over format string and interpret '%' arguments as they are
443 // encountered.
444 Buffer buffer(buf, sz);
445 size_t padding;
446 char pad;
447 for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
448 if (*fmt++ == '%') {
449 padding = 0;
450 pad = ' ';
451 char ch = *fmt++;
452 format_character_found:
453 switch (ch) {
454 case '0': case '1': case '2': case '3': case '4':
455 case '5': case '6': case '7': case '8': case '9':
456 // Found a width parameter. Convert to an integer value and store in
457 // "padding". If the leading digit is a zero, change the padding
458 // character from a space ' ' to a zero '0'.
459 pad = ch == '0' ? '0' : ' ';
460 for (;;) {
461 // The maximum allowed padding fills all the available address
462 // space and leaves just enough space to insert the trailing NUL.
463 const size_t max_padding = kSSizeMax - 1;
464 if (padding > max_padding/10 ||
465 10*padding > max_padding - (ch - '0')) {
466 DEBUG_CHECK(padding <= max_padding/10 &&
467 10*padding <= max_padding - (ch - '0'));
468 // Integer overflow detected. Skip the rest of the width until
469 // we find the format character, then do the normal error handling.
470 padding_overflow:
471 padding = max_padding;
472 while ((ch = *fmt++) >= '0' && ch <= '9') {
473 }
474 if (cur_arg < max_args) {
475 ++cur_arg;
476 }
477 goto fail_to_expand;
478 }
479 padding = 10*padding + ch - '0';
480 if (padding > max_padding) {
481 // This doesn't happen for "sane" values of kSSizeMax. But once
482 // kSSizeMax gets smaller than about 10, our earlier range checks
483 // are incomplete. Unittests do trigger this artificial corner
484 // case.
485 DEBUG_CHECK(padding <= max_padding);
486 goto padding_overflow;
487 }
488 ch = *fmt++;
489 if (ch < '0' || ch > '9') {
490 // Reached the end of the width parameter. This is where the format
491 // character is found.
492 goto format_character_found;
493 }
494 }
495 break;
496 case 'c': { // Output an ASCII character.
497 // Check that there are arguments left to be inserted.
498 if (cur_arg >= max_args) {
499 DEBUG_CHECK(cur_arg < max_args);
500 goto fail_to_expand;
501 }
502
503 // Check that the argument has the expected type.
504 const Arg& arg = args[cur_arg++];
505 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
506 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
507 goto fail_to_expand;
508 }
509
510 // Apply padding, if needed.
511 buffer.Pad(' ', padding, 1);
512
513 // Convert the argument to an ASCII character and output it.
514 char as_char = static_cast<char>(arg.integer.i);
515 if (!as_char) {
516 goto end_of_output_buffer;
517 }
518 buffer.Out(as_char);
519 break; }
520 case 'd': // Output a possibly signed decimal value.
521 case 'o': // Output an unsigned octal value.
522 case 'x': // Output an unsigned hexadecimal value.
523 case 'X':
524 case 'p': { // Output a pointer value.
525 // Check that there are arguments left to be inserted.
526 if (cur_arg >= max_args) {
527 DEBUG_CHECK(cur_arg < max_args);
528 goto fail_to_expand;
529 }
530
531 const Arg& arg = args[cur_arg++];
532 int64_t i;
533 const char* prefix = NULL;
534 if (ch != 'p') {
535 // Check that the argument has the expected type.
536 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
537 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
538 goto fail_to_expand;
539 }
540 i = arg.integer.i;
541
542 if (ch != 'd') {
543 // The Arg() constructor automatically performed sign expansion on
544 // signed parameters. This is great when outputting a %d decimal
545 // number, but can result in unexpected leading 0xFF bytes when
546 // outputting a %x hexadecimal number. Mask bits, if necessary.
547 // We have to do this here, instead of in the Arg() constructor, as
548 // the Arg() constructor cannot tell whether we will output a %d
549 // or a %x. Only the latter should experience masking.
550 if (arg.integer.width < sizeof(int64_t)) {
551 i &= (1LL << (8*arg.integer.width)) - 1;
552 }
553 }
554 } else {
555 // Pointer values require an actual pointer or a string.
556 if (arg.type == Arg::POINTER) {
557 i = reinterpret_cast<uintptr_t>(arg.ptr);
558 } else if (arg.type == Arg::STRING) {
559 i = reinterpret_cast<uintptr_t>(arg.str);
560 } else if (arg.type == Arg::INT &&
561 arg.integer.width == sizeof(NULL) &&
562 arg.integer.i == 0) { // Allow C++'s version of NULL
563 i = 0;
564 } else {
565 DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
566 goto fail_to_expand;
567 }
568
569 // Pointers always include the "0x" prefix.
570 prefix = "0x";
571 }
572
573 // Use IToASCII() to convert to ASCII representation. For decimal
574 // numbers, optionally print a sign. For hexadecimal numbers,
575 // distinguish between upper and lower case. %p addresses are always
576 // printed as upcase. Supports base 8, 10, and 16. Prints padding
577 // and/or prefixes, if so requested.
578 buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
579 ch != 'x', i,
580 ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
581 pad, padding, prefix);
582 break; }
583 case 's': {
584 // Check that there are arguments left to be inserted.
585 if (cur_arg >= max_args) {
586 DEBUG_CHECK(cur_arg < max_args);
587 goto fail_to_expand;
588 }
589
590 // Check that the argument has the expected type.
591 const Arg& arg = args[cur_arg++];
592 const char *s;
593 if (arg.type == Arg::STRING) {
594 s = arg.str ? arg.str : "<NULL>";
595 } else if (arg.type == Arg::INT && arg.integer.width == sizeof(NULL) &&
596 arg.integer.i == 0) { // Allow C++'s version of NULL
597 s = "<NULL>";
598 } else {
599 DEBUG_CHECK(arg.type == Arg::STRING);
600 goto fail_to_expand;
601 }
602
603 // Apply padding, if needed. This requires us to first check the
604 // length of the string that we are outputting.
605 if (padding) {
606 size_t len = 0;
607 for (const char* src = s; *src++; ) {
608 ++len;
609 }
610 buffer.Pad(' ', padding, len);
611 }
612
613 // Printing a string involves nothing more than copying it into the
614 // output buffer and making sure we don't output more bytes than
615 // available space; Out() takes care of doing that.
616 for (const char* src = s; *src; ) {
617 buffer.Out(*src++);
618 }
619 break; }
620 case '%':
621 // Quoted percent '%' character.
622 goto copy_verbatim;
623 fail_to_expand:
624 // C++ gives us tools to do type checking -- something that snprintf()
625 // could never really do. So, whenever we see arguments that don't
626 // match up with the format string, we refuse to output them. But
627 // since we have to be extremely conservative about being async-
628 // signal-safe, we are limited in the type of error handling that we
629 // can do in production builds (in debug builds we can use
630 // DEBUG_CHECK() and hope for the best). So, all we do is pass the
631 // format string unchanged. That should eventually get the user's
632 // attention; and in the meantime, it hopefully doesn't lose too much
633 // data.
634 default:
635 // Unknown or unsupported format character. Just copy verbatim to
636 // output.
637 buffer.Out('%');
638 DEBUG_CHECK(ch);
639 if (!ch) {
640 goto end_of_format_string;
641 }
642 buffer.Out(ch);
643 break;
644 }
645 } else {
646 copy_verbatim:
647 buffer.Out(fmt[-1]);
648 }
649 }
650 end_of_format_string:
651 end_of_output_buffer:
652 return buffer.GetCount();
653 }
654
655 } // namespace internal
656
SafeSNPrintf(char * buf,size_t sz,const char * fmt)657 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
658 // Make sure that at least one NUL byte can be written, and that the buffer
659 // never overflows kSSizeMax. Not only does that use up most or all of the
660 // address space, it also would result in a return code that cannot be
661 // represented.
662 if (static_cast<ssize_t>(sz) < 1) {
663 return -1;
664 } else if (sz > kSSizeMax) {
665 sz = kSSizeMax;
666 }
667
668 Buffer buffer(buf, sz);
669
670 // In the slow-path, we deal with errors by copying the contents of
671 // "fmt" unexpanded. This means, if there are no arguments passed, the
672 // SafeSPrintf() function always degenerates to a version of strncpy() that
673 // de-duplicates '%' characters.
674 const char* src = fmt;
675 for (; *src; ++src) {
676 buffer.Out(*src);
677 DEBUG_CHECK(src[0] != '%' || src[1] == '%');
678 if (src[0] == '%' && src[1] == '%') {
679 ++src;
680 }
681 }
682 return buffer.GetCount();
683 }
684
685 } // namespace strings
686 } // namespace base
687