Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(132)

Side by Side Diff: base/strings/safe_sprintf.cc

Issue 23777003: Second attempt at introducing SafeSPrintf(). (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Added missing braces (style-change only) Created 7 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « base/strings/safe_sprintf.h ('k') | base/strings/safe_sprintf_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/strings/safe_sprintf.h"
6
7 #include <limits>
8
9 #if !defined(NDEBUG)
10 // In debug builds, we use RAW_CHECK() to print useful error messages, if
11 // SafeSPrintf() is called with broken arguments.
12 // As our contract promises that SafeSPrintf() can be called from any
13 // restricted run-time context, it is not actually safe to call logging
14 // functions from it; and we only ever do so for debug builds and hope for the
15 // best. We should _never_ call any logging function other than RAW_CHECK(),
16 // and we should _never_ include any logging code that is active in production
17 // builds. Most notably, we should not include these logging functions in
18 // unofficial release builds, even though those builds would otherwise have
19 // DCHECKS() enabled.
20 // In other words; please do not remove the #ifdef around this #include.
21 // Instead, in production builds we opt for returning a degraded result,
22 // whenever an error is encountered.
23 // E.g. The broken function call
24 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
25 // will print something like
26 // errno = 13, (%x)
27 // instead of
28 // errno = 13 (Access denied)
29 // In most of the anticipated use cases, that's probably the preferred
30 // behavior.
31 #include "base/logging.h"
32 #define DEBUG_CHECK RAW_CHECK
33 #else
34 #define DEBUG_CHECK(x) do { if (x) { } } while (0)
35 #endif
36
37 namespace base {
38 namespace strings {
39
40 // The code in this file is extremely careful to be async-signal-safe.
41 //
42 // Most obviously, we avoid calling any code that could dynamically allocate
43 // memory. Doing so would almost certainly result in bugs and dead-locks.
44 // We also avoid calling any other STL functions that could have unintended
45 // side-effects involving memory allocation or access to other shared
46 // resources.
47 //
48 // But on top of that, we also avoid calling other library functions, as many
49 // of them have the side-effect of calling getenv() (in order to deal with
50 // localization) or accessing errno. The latter sounds benign, but there are
51 // several execution contexts where it isn't even possible to safely read let
52 // alone write errno.
53 //
54 // The stated design goal of the SafeSPrintf() function is that it can be
55 // called from any context that can safely call C or C++ code (i.e. anything
56 // that doesn't require assembly code).
57 //
58 // For a brief overview of some but not all of the issues with async-signal-
59 // safety, refer to:
60 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
61
62 namespace {
63 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
64
65 const char kUpCaseHexDigits[] = "0123456789ABCDEF";
66 const char kDownCaseHexDigits[] = "0123456789abcdef";
67 }
68
69 #if defined(NDEBUG)
70 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
71 // but C++ doesn't allow us to do that for constants. Instead, we have to
72 // use careful casting and shifting. We later use a COMPILE_ASSERT to
73 // verify that this worked correctly.
74 namespace {
75 const size_t kSSizeMax = kSSizeMaxConst;
76 }
77 #else // defined(NDEBUG)
78 // For efficiency, we really need kSSizeMax to be a constant. But for unit
79 // tests, it should be adjustable. This allows us to verify edge cases without
80 // having to fill the entire available address space. As a compromise, we make
81 // kSSizeMax adjustable in debug builds, and then only compile that particular
82 // part of the unit test in debug builds.
83 namespace {
84 static size_t kSSizeMax = kSSizeMaxConst;
85 }
86
87 namespace internal {
88 void SetSafeSPrintfSSizeMaxForTest(size_t max) {
89 kSSizeMax = max;
90 }
91
92 size_t GetSafeSPrintfSSizeMaxForTest() {
93 return kSSizeMax;
94 }
95 }
96 #endif // defined(NDEBUG)
97
98 namespace {
99 class Buffer {
100 public:
101 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
102 // has |size| bytes of writable storage. It is the caller's responsibility
103 // to ensure that the buffer is at least one byte in size, so that it fits
104 // the trailing NUL that will be added by the destructor. The buffer also
105 // must be smaller or equal to kSSizeMax in size.
106 Buffer(char* buffer, size_t size)
107 : buffer_(buffer),
108 size_(size - 1), // Account for trailing NUL byte
109 count_(0) {
110 // This test should work on all C++11 compilers, but apparently something is
111 // not working on all versions of clang just yet (e.g. on Mac, IOS, and
112 // Android). We are conservative and exclude all of clang for the time being.
113 // TODO(markus): Check if this restriction can be lifted.
114 #if __cplusplus >= 201103 && !defined(__clang__)
115 COMPILE_ASSERT(kSSizeMaxConst == std::numeric_limits<ssize_t>::max(),
116 kSSizeMax_is_the_max_value_of_an_ssize_t);
117 #endif
118 DEBUG_CHECK(size > 0);
119 DEBUG_CHECK(size <= kSSizeMax);
120 }
121
122 ~Buffer() {
123 // The code calling the constructor guaranteed that there was enough space
124 // to store a trailing NUL -- and in debug builds, we are actually
125 // verifying this with DEBUG_CHECK()s in the constructor. So, we can
126 // always unconditionally write the NUL byte in the destructor. We do not
127 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
128 // including the NUL byte in its return code.
129 *GetInsertionPoint() = '\000';
130 }
131
132 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
133 // caller can now stop adding more data, as GetCount() has reached its
134 // maximum possible value.
135 inline bool OutOfAddressableSpace() const {
136 return count_ == static_cast<size_t>(kSSizeMax - 1);
137 }
138
139 // Returns the number of bytes that would have been emitted to |buffer_|
140 // if it was sized sufficiently large. This number can be larger than
141 // |size_|, if the caller provided an insufficiently large output buffer.
142 // But it will never be bigger than |kSSizeMax-1|.
143 inline ssize_t GetCount() const {
144 DEBUG_CHECK(count_ < kSSizeMax);
145 return static_cast<ssize_t>(count_);
146 }
147
148 // Emits one |ch| character into the |buffer_| and updates the |count_| of
149 // characters that are currently supposed to be in the buffer.
150 // Returns "false", iff the buffer was already full.
151 // N.B. |count_| increases even if no characters have been written. This is
152 // needed so that GetCount() can return the number of bytes that should
153 // have been allocated for the |buffer_|.
154 inline bool Out(char ch) {
155 if (size_ >= 1 && count_ < size_) {
156 buffer_[count_] = ch;
157 return IncrementCountByOne();
158 }
159 // |count_| still needs to be updated, even if the buffer has been
160 // filled completely. This allows SafeSPrintf() to return the number of
161 // bytes that should have been emitted.
162 IncrementCountByOne();
163 return false;
164 }
165
166 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
167 // |count_| will also be incremented by the number of bytes that were meant
168 // to be emitted. The |pad| character is typically either a ' ' space
169 // or a '0' zero, but other non-NUL values are legal.
170 // Returns "false", iff the the |buffer_| filled up (i.e. |count_|
171 // overflowed |size_|) at any time during padding.
172 inline bool Pad(char pad, size_t padding, size_t len) {
173 DEBUG_CHECK(pad);
174 DEBUG_CHECK(padding >= 0 && padding <= kSSizeMax);
175 DEBUG_CHECK(len >= 0);
176 for (; padding > len; --padding) {
177 if (!Out(pad)) {
178 if (--padding) {
179 IncrementCount(padding-len);
180 }
181 return false;
182 }
183 }
184 return true;
185 }
186
187 // POSIX doesn't define any async-signal-safe function for converting
188 // an integer to ASCII. Define our own version.
189 //
190 // This also gives us the ability to make the function a little more
191 // powerful and have it deal with |padding|, with truncation, and with
192 // predicting the length of the untruncated output.
193 //
194 // IToASCII() converts an integer |i| to ASCII.
195 //
196 // Unlike similar functions in the standard C library, it never appends a
197 // NUL character. This is left for the caller to do.
198 //
199 // While the function signature takes a signed int64_t, the code decides at
200 // run-time whether to treat the argument as signed (int64_t) or as unsigned
201 // (uint64_t) based on the value of |sign|.
202 //
203 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
204 // a |sign|. Otherwise, |i| is treated as unsigned.
205 //
206 // For bases larger than 10, |upcase| decides whether lower-case or upper-
207 // case letters should be used to designate digits greater than 10.
208 //
209 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
210 // be positive and will always be applied to the left of the output.
211 //
212 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
213 // the left of |padding|, if |pad| is '0'; and to the right of |padding|
214 // if |pad| is ' '.
215 //
216 // Returns "false", if the |buffer_| overflowed at any time.
217 bool IToASCII(bool sign, bool upcase, int64_t i, int base,
218 char pad, size_t padding, const char* prefix);
219
220 private:
221 // Increments |count_| by |inc| unless this would cause |count_| to
222 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
223 // it then clamps |count_| to |kSSizeMax-1|.
224 inline bool IncrementCount(size_t inc) {
225 // "inc" is either 1 or a "padding" value. Padding is clamped at
226 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
227 // the range 1..kSSizeMax-1.
228 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
229 // integer overflows.
230 DEBUG_CHECK(inc <= kSSizeMax - 1);
231 if (count_ > kSSizeMax - 1 - inc) {
232 count_ = kSSizeMax - 1;
233 return false;
234 } else {
235 count_ += inc;
236 return true;
237 }
238 }
239
240 // Convenience method for the common case of incrementing |count_| by one.
241 inline bool IncrementCountByOne() {
242 return IncrementCount(1);
243 }
244
245 // Return the current insertion point into the buffer. This is typically
246 // at |buffer_| + |count_|, but could be before that if truncation
247 // happened. It always points to one byte past the last byte that was
248 // successfully placed into the |buffer_|.
249 inline char* GetInsertionPoint() const {
250 size_t idx = count_;
251 if (idx > size_) {
252 idx = size_;
253 }
254 return buffer_ + idx;
255 }
256
257 // User-provided buffer that will receive the fully formatted output string.
258 char* buffer_;
259
260 // Number of bytes that are available in the buffer excluding the trailing
261 // NUL byte that will be added by the destructor.
262 const size_t size_;
263
264 // Number of bytes that would have been emitted to the buffer, if the buffer
265 // was sufficiently big. This number always excludes the trailing NUL byte
266 // and it is guaranteed to never grow bigger than kSSizeMax-1.
267 size_t count_;
268
269 DISALLOW_COPY_AND_ASSIGN(Buffer);
270 };
271
272
273 bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base,
274 char pad, size_t padding, const char* prefix) {
275 // Sanity check for parameters. None of these should ever fail, but see
276 // above for the rationale why we can't call CHECK().
277 DEBUG_CHECK(base >= 2);
278 DEBUG_CHECK(base <= 16);
279 DEBUG_CHECK(!sign || base == 10);
280 DEBUG_CHECK(pad == '0' || pad == ' ');
281 DEBUG_CHECK(padding >= 0);
282 DEBUG_CHECK(padding <= kSSizeMax);
283 DEBUG_CHECK(!(sign && prefix && *prefix));
284
285 // Handle negative numbers, if the caller indicated that |i| should be
286 // treated as a signed number; otherwise treat |i| as unsigned (even if the
287 // MSB is set!)
288 // Details are tricky, because of limited data-types, but equivalent pseudo-
289 // code would look like:
290 // if (sign && i < 0)
291 // prefix = "-";
292 // num = abs(i);
293 int minint = 0;
294 uint64_t num;
295 if (sign && i < 0) {
296 prefix = "-";
297
298 // Turn our number positive.
299 if (i == std::numeric_limits<int64_t>::min()) {
300 // The most negative integer needs special treatment.
301 minint = 1;
302 num = static_cast<uint64_t>(-(i + 1));
303 } else {
304 // "Normal" negative numbers are easy.
305 num = static_cast<uint64_t>(-i);
306 }
307 } else {
308 num = static_cast<uint64_t>(i);
309 }
310
311 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
312 // make the prefix accessible in reverse order, so that we can later output
313 // it right between padding and the number.
314 // We cannot choose the easier approach of just reversing the number, as that
315 // fails in situations where we need to truncate numbers that have padding
316 // and/or prefixes.
317 const char* reverse_prefix = NULL;
318 if (prefix && *prefix) {
319 if (pad == '0') {
320 while (*prefix) {
321 if (padding) {
322 --padding;
323 }
324 Out(*prefix++);
325 }
326 prefix = NULL;
327 } else {
328 for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
329 }
330 }
331 } else
332 prefix = NULL;
333 const size_t prefix_length = reverse_prefix - prefix;
334
335 // Loop until we have converted the entire number. Output at least one
336 // character (i.e. '0').
337 size_t start = count_;
338 size_t discarded = 0;
339 bool started = false;
340 do {
341 // Make sure there is still enough space left in our output buffer.
342 if (count_ >= size_) {
343 if (start < size_) {
344 // It is rare that we need to output a partial number. But if asked
345 // to do so, we will still make sure we output the correct number of
346 // leading digits.
347 // Since we are generating the digits in reverse order, we actually
348 // have to discard digits in the order that we have already emitted
349 // them. This is essentially equivalent to:
350 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
351 for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
352 move < end;
353 ++move) {
354 *move = move[1];
355 }
356 ++discarded;
357 --count_;
358 } else if (count_ - size_ > 1) {
359 // Need to increment either |count_| or |discarded| to make progress.
360 // The latter is more efficient, as it eventually triggers fast
361 // handling of padding. But we have to ensure we don't accidentally
362 // change the overall state (i.e. switch the state-machine from
363 // discarding to non-discarding). |count_| needs to always stay
364 // bigger than |size_|.
365 --count_;
366 ++discarded;
367 }
368 }
369
370 // Output the next digit and (if necessary) compensate for the most
371 // negative integer needing special treatment. This works because,
372 // no matter the bit width of the integer, the lowest-most decimal
373 // integer always ends in 2, 4, 6, or 8.
374 if (!num && started) {
375 if (reverse_prefix > prefix) {
376 Out(*--reverse_prefix);
377 } else {
378 Out(pad);
379 }
380 } else {
381 started = true;
382 Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]);
383 }
384
385 minint = 0;
386 num /= base;
387
388 // Add padding, if requested.
389 if (padding > 0) {
390 --padding;
391
392 // Performance optimization for when we are asked to output excessive
393 // padding, but our output buffer is limited in size. Even if we output
394 // a 64bit number in binary, we would never write more than 64 plus
395 // prefix non-padding characters. So, once this limit has been passed,
396 // any further state change can be computed arithmetically; we know that
397 // by this time, our entire final output consists of padding characters
398 // that have all already been output.
399 if (discarded > 8*sizeof(num) + prefix_length) {
400 IncrementCount(padding);
401 padding = 0;
402 }
403 }
404 } while (num || padding || (reverse_prefix > prefix));
405
406 // Conversion to ASCII actually resulted in the digits being in reverse
407 // order. We can't easily generate them in forward order, as we can't tell
408 // the number of characters needed until we are done converting.
409 // So, now, we reverse the string (except for the possible '-' sign).
410 char* front = buffer_ + start;
411 char* back = GetInsertionPoint();
412 while (--back > front) {
413 char ch = *back;
414 *back = *front;
415 *front++ = ch;
416 }
417
418 IncrementCount(discarded);
419 return !discarded;
420 }
421
422 } // anonymous namespace
423
424 namespace internal {
425
426 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
427 const size_t max_args) {
428 // Make sure that at least one NUL byte can be written, and that the buffer
429 // never overflows kSSizeMax. Not only does that use up most or all of the
430 // address space, it also would result in a return code that cannot be
431 // represented.
432 if (static_cast<ssize_t>(sz) < 1) {
433 return -1;
434 } else if (sz > kSSizeMax) {
435 sz = kSSizeMax;
436 }
437
438 // Iterate over format string and interpret '%' arguments as they are
439 // encountered.
440 Buffer buffer(buf, sz);
441 size_t padding;
442 char pad;
443 for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
444 if (*fmt++ == '%') {
445 padding = 0;
446 pad = ' ';
447 char ch = *fmt++;
448 format_character_found:
449 switch (ch) {
450 case '0': case '1': case '2': case '3': case '4':
451 case '5': case '6': case '7': case '8': case '9':
452 // Found a width parameter. Convert to an integer value and store in
453 // "padding". If the leading digit is a zero, change the padding
454 // character from a space ' ' to a zero '0'.
455 pad = ch == '0' ? '0' : ' ';
456 for (;;) {
457 // The maximum allowed padding fills all the available address
458 // space and leaves just enough space to insert the trailing NUL.
459 const size_t max_padding = kSSizeMax - 1;
460 if (padding > max_padding/10 ||
461 10*padding > max_padding - (ch - '0')) {
462 DEBUG_CHECK(padding <= max_padding/10 &&
463 10*padding <= max_padding - (ch - '0'));
464 // Integer overflow detected. Skip the rest of the width until
465 // we find the format character, then do the normal error handling.
466 padding_overflow:
467 padding = max_padding;
468 while ((ch = *fmt++) >= '0' && ch <= '9') {
469 }
470 if (cur_arg < max_args) {
471 ++cur_arg;
472 }
473 goto fail_to_expand;
474 }
475 padding = 10*padding + ch - '0';
476 if (padding > max_padding) {
477 // This doesn't happen for "sane" values of kSSizeMax. But once
478 // kSSizeMax gets smaller than about 10, our earlier range checks
479 // are incomplete. Unittests do trigger this artificial corner
480 // case.
481 DEBUG_CHECK(padding <= max_padding);
482 goto padding_overflow;
483 }
484 ch = *fmt++;
485 if (ch < '0' || ch > '9') {
486 // Reached the end of the width parameter. This is where the format
487 // character is found.
488 goto format_character_found;
489 }
490 }
491 break;
492 case 'c': { // Output an ASCII character.
493 // Check that there are arguments left to be inserted.
494 if (cur_arg >= max_args) {
495 DEBUG_CHECK(cur_arg < max_args);
496 goto fail_to_expand;
497 }
498
499 // Check that the argument has the expected type.
500 const Arg& arg = args[cur_arg++];
501 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
502 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
503 goto fail_to_expand;
504 }
505
506 // Apply padding, if needed.
507 buffer.Pad(' ', padding, 1);
508
509 // Convert the argument to an ASCII character and output it.
510 char ch = static_cast<char>(arg.i);
511 if (!ch) {
512 goto end_of_output_buffer;
513 }
514 buffer.Out(ch);
515 break; }
516 case 'd': // Output a possibly signed decimal value.
517 case 'o': // Output an unsigned octal value.
518 case 'x': // Output an unsigned hexadecimal value.
519 case 'X':
520 case 'p': { // Output a pointer value.
521 // Check that there are arguments left to be inserted.
522 if (cur_arg >= max_args) {
523 DEBUG_CHECK(cur_arg < max_args);
524 goto fail_to_expand;
525 }
526
527 const Arg& arg = args[cur_arg++];
528 int64_t i;
529 const char* prefix = NULL;
530 if (ch != 'p') {
531 // Check that the argument has the expected type.
532 if (arg.type != Arg::INT && arg.type != Arg::UINT) {
533 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
534 goto fail_to_expand;
535 }
536 i = arg.i;
537
538 if (ch != 'd') {
539 // The Arg() constructor automatically performed sign expansion on
540 // signed parameters. This is great when outputting a %d decimal
541 // number, but can result in unexpected leading 0xFF bytes when
542 // outputting a %x hexadecimal number. Mask bits, if necessary.
543 // We have to do this here, instead of in the Arg() constructor, as
544 // the Arg() constructor cannot tell whether we will output a %d
545 // or a %x. Only the latter should experience masking.
546 if (arg.width < sizeof(int64_t)) {
547 i &= (1LL << (8*arg.width)) - 1;
548 }
549 }
550 } else {
551 // Pointer values require an actual pointer or a string.
552 if (arg.type == Arg::POINTER) {
553 i = reinterpret_cast<uintptr_t>(arg.ptr);
554 } else if (arg.type == Arg::STRING) {
555 i = reinterpret_cast<uintptr_t>(arg.str);
556 } else if (arg.type == Arg::INT && arg.width == sizeof(NULL) &&
557 arg.i == 0) { // Allow C++'s version of NULL
558 i = 0;
559 } else {
560 DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
561 goto fail_to_expand;
562 }
563
564 // Pointers always include the "0x" prefix.
565 prefix = "0x";
566 }
567
568 // Use IToASCII() to convert to ASCII representation. For decimal
569 // numbers, optionally print a sign. For hexadecimal numbers,
570 // distinguish between upper and lower case. %p addresses are always
571 // printed as upcase. Supports base 8, 10, and 16. Prints padding
572 // and/or prefixes, if so requested.
573 buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
574 ch != 'x', i,
575 ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
576 pad, padding, prefix);
577 break; }
578 case 's': {
579 // Check that there are arguments left to be inserted.
580 if (cur_arg >= max_args) {
581 DEBUG_CHECK(cur_arg < max_args);
582 goto fail_to_expand;
583 }
584
585 // Check that the argument has the expected type.
586 const Arg& arg = args[cur_arg++];
587 const char *s;
588 if (arg.type == Arg::STRING) {
589 s = arg.str ? arg.str : "<NULL>";
590 } else if (arg.type == Arg::INT && arg.width == sizeof(NULL) &&
591 arg.i == 0) { // Allow C++'s version of NULL
592 s = "<NULL>";
593 } else {
594 DEBUG_CHECK(arg.type == Arg::STRING);
595 goto fail_to_expand;
596 }
597
598 // Apply padding, if needed. This requires us to first check the
599 // length of the string that we are outputting.
600 if (padding) {
601 size_t len = 0;
602 for (const char* src = s; *src++; ) {
603 ++len;
604 }
605 buffer.Pad(' ', padding, len);
606 }
607
608 // Printing a string involves nothing more than copying it into the
609 // output buffer and making sure we don't output more bytes than
610 // available space; Out() takes care of doing that.
611 for (const char* src = s; *src; ) {
612 buffer.Out(*src++);
613 }
614 break; }
615 case '%':
616 // Quoted percent '%' character.
617 goto copy_verbatim;
618 fail_to_expand:
619 // C++ gives us tools to do type checking -- something that snprintf()
620 // could never really do. So, whenever we see arguments that don't
621 // match up with the format string, we refuse to output them. But
622 // since we have to be extremely conservative about being async-
623 // signal-safe, we are limited in the type of error handling that we
624 // can do in production builds (in debug builds we can use
625 // DEBUG_CHECK() and hope for the best). So, all we do is pass the
626 // format string unchanged. That should eventually get the user's
627 // attention; and in the meantime, it hopefully doesn't lose too much
628 // data.
629 default:
630 // Unknown or unsupported format character. Just copy verbatim to
631 // output.
632 buffer.Out('%');
633 DEBUG_CHECK(ch);
634 if (!ch) {
635 goto end_of_format_string;
636 }
637 buffer.Out(ch);
638 break;
639 }
640 } else {
641 copy_verbatim:
642 buffer.Out(fmt[-1]);
643 }
644 }
645 end_of_format_string:
646 end_of_output_buffer:
647 return buffer.GetCount();
648 }
649
650 } // namespace internal
651
652 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
653 // Make sure that at least one NUL byte can be written, and that the buffer
654 // never overflows kSSizeMax. Not only does that use up most or all of the
655 // address space, it also would result in a return code that cannot be
656 // represented.
657 if (static_cast<ssize_t>(sz) < 1) {
658 return -1;
659 } else if (sz > kSSizeMax) {
660 sz = kSSizeMax;
661 }
662
663 Buffer buffer(buf, sz);
664
665 // In the slow-path, we deal with errors by copying the contents of
666 // "fmt" unexpanded. This means, if there are no arguments passed, the
667 // SafeSPrintf() function always degenerates to a version of strncpy() that
668 // de-duplicates '%' characters.
669 const char* src = fmt;
670 for (; *src; ++src) {
671 buffer.Out(*src);
672 DEBUG_CHECK(src[0] != '%' || src[1] == '%');
673 if (src[0] == '%' && src[1] == '%') {
674 ++src;
675 }
676 }
677 return buffer.GetCount();
678 }
679
680 } // namespace strings
681 } // namespace base
OLDNEW
« no previous file with comments | « base/strings/safe_sprintf.h ('k') | base/strings/safe_sprintf_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698