1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/strings/safe_sprintf.h" 6 7 #include <limits> 8 9 #if !defined(NDEBUG) 10 // In debug builds, we use RAW_CHECK() to print useful error messages, if 11 // SafeSPrintf() is called with broken arguments. 12 // As our contract promises that SafeSPrintf() can be called from any 13 // restricted run-time context, it is not actually safe to call logging 14 // functions from it; and we only ever do so for debug builds and hope for the 15 // best. We should _never_ call any logging function other than RAW_CHECK(), 16 // and we should _never_ include any logging code that is active in production 17 // builds. Most notably, we should not include these logging functions in 18 // unofficial release builds, even though those builds would otherwise have 19 // DCHECKS() enabled. 20 // In other words; please do not remove the #ifdef around this #include. 21 // Instead, in production builds we opt for returning a degraded result, 22 // whenever an error is encountered. 23 // E.g. The broken function call 24 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno)) 25 // will print something like 26 // errno = 13, (%x) 27 // instead of 28 // errno = 13 (Access denied) 29 // In most of the anticipated use cases, that's probably the preferred 30 // behavior. 31 #include "base/logging.h" 32 #define DEBUG_CHECK RAW_CHECK 33 #else 34 #define DEBUG_CHECK(x) do { if (x) { } } while (0) 35 #endif 36 37 namespace base { 38 namespace strings { 39 40 // The code in this file is extremely careful to be async-signal-safe. 41 // 42 // Most obviously, we avoid calling any code that could dynamically allocate 43 // memory. Doing so would almost certainly result in bugs and dead-locks. 44 // We also avoid calling any other STL functions that could have unintended 45 // side-effects involving memory allocation or access to other shared 46 // resources. 47 // 48 // But on top of that, we also avoid calling other library functions, as many 49 // of them have the side-effect of calling getenv() (in order to deal with 50 // localization) or accessing errno. The latter sounds benign, but there are 51 // several execution contexts where it isn't even possible to safely read let 52 // alone write errno. 53 // 54 // The stated design goal of the SafeSPrintf() function is that it can be 55 // called from any context that can safely call C or C++ code (i.e. anything 56 // that doesn't require assembly code). 57 // 58 // For a brief overview of some but not all of the issues with async-signal- 59 // safety, refer to: 60 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html 61 62 namespace { 63 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1; 64 65 const char kUpCaseHexDigits[] = "0123456789ABCDEF"; 66 const char kDownCaseHexDigits[] = "0123456789abcdef"; 67 } 68 69 #if defined(NDEBUG) 70 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(), 71 // but C++ doesn't allow us to do that for constants. Instead, we have to 72 // use careful casting and shifting. We later use a COMPILE_ASSERT to 73 // verify that this worked correctly. 74 namespace { 75 const size_t kSSizeMax = kSSizeMaxConst; 76 } 77 #else // defined(NDEBUG) 78 // For efficiency, we really need kSSizeMax to be a constant. But for unit 79 // tests, it should be adjustable. This allows us to verify edge cases without 80 // having to fill the entire available address space. As a compromise, we make 81 // kSSizeMax adjustable in debug builds, and then only compile that particular 82 // part of the unit test in debug builds. 83 namespace { 84 static size_t kSSizeMax = kSSizeMaxConst; 85 } 86 87 namespace internal { 88 void SetSafeSPrintfSSizeMaxForTest(size_t max) { 89 kSSizeMax = max; 90 } 91 92 size_t GetSafeSPrintfSSizeMaxForTest() { 93 return kSSizeMax; 94 } 95 } 96 #endif // defined(NDEBUG) 97 98 namespace { 99 class Buffer { 100 public: 101 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It 102 // has |size| bytes of writable storage. It is the caller's responsibility 103 // to ensure that the buffer is at least one byte in size, so that it fits 104 // the trailing NUL that will be added by the destructor. The buffer also 105 // must be smaller or equal to kSSizeMax in size. 106 Buffer(char* buffer, size_t size) 107 : buffer_(buffer), 108 size_(size - 1), // Account for trailing NUL byte 109 count_(0) { 110 // The following assertion does not build on Mac and Android. This is because 111 // static_assert only works with compile-time constants, but mac uses 112 // libstdc++4.2 and android uses stlport, which both don't mark 113 // numeric_limits::max() as constexp. 114 #if __cplusplus >= 201103 && !defined(OS_ANDROID) && !defined(OS_MACOSX) && !defined(OS_IOS) 115 COMPILE_ASSERT(kSSizeMaxConst == \ 116 static_cast<size_t>(std::numeric_limits<ssize_t>::max()), 117 kSSizeMax_is_the_max_value_of_an_ssize_t); 118 #endif 119 DEBUG_CHECK(size > 0); 120 DEBUG_CHECK(size <= kSSizeMax); 121 } 122 123 ~Buffer() { 124 // The code calling the constructor guaranteed that there was enough space 125 // to store a trailing NUL -- and in debug builds, we are actually 126 // verifying this with DEBUG_CHECK()s in the constructor. So, we can 127 // always unconditionally write the NUL byte in the destructor. We do not 128 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not 129 // including the NUL byte in its return code. 130 *GetInsertionPoint() = '\000'; 131 } 132 133 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The 134 // caller can now stop adding more data, as GetCount() has reached its 135 // maximum possible value. 136 inline bool OutOfAddressableSpace() const { 137 return count_ == static_cast<size_t>(kSSizeMax - 1); 138 } 139 140 // Returns the number of bytes that would have been emitted to |buffer_| 141 // if it was sized sufficiently large. This number can be larger than 142 // |size_|, if the caller provided an insufficiently large output buffer. 143 // But it will never be bigger than |kSSizeMax-1|. 144 inline ssize_t GetCount() const { 145 DEBUG_CHECK(count_ < kSSizeMax); 146 return static_cast<ssize_t>(count_); 147 } 148 149 // Emits one |ch| character into the |buffer_| and updates the |count_| of 150 // characters that are currently supposed to be in the buffer. 151 // Returns "false", iff the buffer was already full. 152 // N.B. |count_| increases even if no characters have been written. This is 153 // needed so that GetCount() can return the number of bytes that should 154 // have been allocated for the |buffer_|. 155 inline bool Out(char ch) { 156 if (size_ >= 1 && count_ < size_) { 157 buffer_[count_] = ch; 158 return IncrementCountByOne(); 159 } 160 // |count_| still needs to be updated, even if the buffer has been 161 // filled completely. This allows SafeSPrintf() to return the number of 162 // bytes that should have been emitted. 163 IncrementCountByOne(); 164 return false; 165 } 166 167 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|. 168 // |count_| will also be incremented by the number of bytes that were meant 169 // to be emitted. The |pad| character is typically either a ' ' space 170 // or a '0' zero, but other non-NUL values are legal. 171 // Returns "false", iff the the |buffer_| filled up (i.e. |count_| 172 // overflowed |size_|) at any time during padding. 173 inline bool Pad(char pad, size_t padding, size_t len) { 174 DEBUG_CHECK(pad); 175 DEBUG_CHECK(padding >= 0 && padding <= kSSizeMax); 176 DEBUG_CHECK(len >= 0); 177 for (; padding > len; --padding) { 178 if (!Out(pad)) { 179 if (--padding) { 180 IncrementCount(padding-len); 181 } 182 return false; 183 } 184 } 185 return true; 186 } 187 188 // POSIX doesn't define any async-signal-safe function for converting 189 // an integer to ASCII. Define our own version. 190 // 191 // This also gives us the ability to make the function a little more 192 // powerful and have it deal with |padding|, with truncation, and with 193 // predicting the length of the untruncated output. 194 // 195 // IToASCII() converts an integer |i| to ASCII. 196 // 197 // Unlike similar functions in the standard C library, it never appends a 198 // NUL character. This is left for the caller to do. 199 // 200 // While the function signature takes a signed int64_t, the code decides at 201 // run-time whether to treat the argument as signed (int64_t) or as unsigned 202 // (uint64_t) based on the value of |sign|. 203 // 204 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have 205 // a |sign|. Otherwise, |i| is treated as unsigned. 206 // 207 // For bases larger than 10, |upcase| decides whether lower-case or upper- 208 // case letters should be used to designate digits greater than 10. 209 // 210 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to 211 // be positive and will always be applied to the left of the output. 212 // 213 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to 214 // the left of |padding|, if |pad| is '0'; and to the right of |padding| 215 // if |pad| is ' '. 216 // 217 // Returns "false", if the |buffer_| overflowed at any time. 218 bool IToASCII(bool sign, bool upcase, int64_t i, int base, 219 char pad, size_t padding, const char* prefix); 220 221 private: 222 // Increments |count_| by |inc| unless this would cause |count_| to 223 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected; 224 // it then clamps |count_| to |kSSizeMax-1|. 225 inline bool IncrementCount(size_t inc) { 226 // "inc" is either 1 or a "padding" value. Padding is clamped at 227 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in 228 // the range 1..kSSizeMax-1. 229 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any 230 // integer overflows. 231 DEBUG_CHECK(inc <= kSSizeMax - 1); 232 if (count_ > kSSizeMax - 1 - inc) { 233 count_ = kSSizeMax - 1; 234 return false; 235 } else { 236 count_ += inc; 237 return true; 238 } 239 } 240 241 // Convenience method for the common case of incrementing |count_| by one. 242 inline bool IncrementCountByOne() { 243 return IncrementCount(1); 244 } 245 246 // Return the current insertion point into the buffer. This is typically 247 // at |buffer_| + |count_|, but could be before that if truncation 248 // happened. It always points to one byte past the last byte that was 249 // successfully placed into the |buffer_|. 250 inline char* GetInsertionPoint() const { 251 size_t idx = count_; 252 if (idx > size_) { 253 idx = size_; 254 } 255 return buffer_ + idx; 256 } 257 258 // User-provided buffer that will receive the fully formatted output string. 259 char* buffer_; 260 261 // Number of bytes that are available in the buffer excluding the trailing 262 // NUL byte that will be added by the destructor. 263 const size_t size_; 264 265 // Number of bytes that would have been emitted to the buffer, if the buffer 266 // was sufficiently big. This number always excludes the trailing NUL byte 267 // and it is guaranteed to never grow bigger than kSSizeMax-1. 268 size_t count_; 269 270 DISALLOW_COPY_AND_ASSIGN(Buffer); 271 }; 272 273 274 bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base, 275 char pad, size_t padding, const char* prefix) { 276 // Sanity check for parameters. None of these should ever fail, but see 277 // above for the rationale why we can't call CHECK(). 278 DEBUG_CHECK(base >= 2); 279 DEBUG_CHECK(base <= 16); 280 DEBUG_CHECK(!sign || base == 10); 281 DEBUG_CHECK(pad == '0' || pad == ' '); 282 DEBUG_CHECK(padding >= 0); 283 DEBUG_CHECK(padding <= kSSizeMax); 284 DEBUG_CHECK(!(sign && prefix && *prefix)); 285 286 // Handle negative numbers, if the caller indicated that |i| should be 287 // treated as a signed number; otherwise treat |i| as unsigned (even if the 288 // MSB is set!) 289 // Details are tricky, because of limited data-types, but equivalent pseudo- 290 // code would look like: 291 // if (sign && i < 0) 292 // prefix = "-"; 293 // num = abs(i); 294 int minint = 0; 295 uint64_t num; 296 if (sign && i < 0) { 297 prefix = "-"; 298 299 // Turn our number positive. 300 if (i == std::numeric_limits<int64_t>::min()) { 301 // The most negative integer needs special treatment. 302 minint = 1; 303 num = static_cast<uint64_t>(-(i + 1)); 304 } else { 305 // "Normal" negative numbers are easy. 306 num = static_cast<uint64_t>(-i); 307 } 308 } else { 309 num = static_cast<uint64_t>(i); 310 } 311 312 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise, 313 // make the prefix accessible in reverse order, so that we can later output 314 // it right between padding and the number. 315 // We cannot choose the easier approach of just reversing the number, as that 316 // fails in situations where we need to truncate numbers that have padding 317 // and/or prefixes. 318 const char* reverse_prefix = NULL; 319 if (prefix && *prefix) { 320 if (pad == '0') { 321 while (*prefix) { 322 if (padding) { 323 --padding; 324 } 325 Out(*prefix++); 326 } 327 prefix = NULL; 328 } else { 329 for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) { 330 } 331 } 332 } else 333 prefix = NULL; 334 const size_t prefix_length = reverse_prefix - prefix; 335 336 // Loop until we have converted the entire number. Output at least one 337 // character (i.e. '0'). 338 size_t start = count_; 339 size_t discarded = 0; 340 bool started = false; 341 do { 342 // Make sure there is still enough space left in our output buffer. 343 if (count_ >= size_) { 344 if (start < size_) { 345 // It is rare that we need to output a partial number. But if asked 346 // to do so, we will still make sure we output the correct number of 347 // leading digits. 348 // Since we are generating the digits in reverse order, we actually 349 // have to discard digits in the order that we have already emitted 350 // them. This is essentially equivalent to: 351 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1) 352 for (char* move = buffer_ + start, *end = buffer_ + size_ - 1; 353 move < end; 354 ++move) { 355 *move = move[1]; 356 } 357 ++discarded; 358 --count_; 359 } else if (count_ - size_ > 1) { 360 // Need to increment either |count_| or |discarded| to make progress. 361 // The latter is more efficient, as it eventually triggers fast 362 // handling of padding. But we have to ensure we don't accidentally 363 // change the overall state (i.e. switch the state-machine from 364 // discarding to non-discarding). |count_| needs to always stay 365 // bigger than |size_|. 366 --count_; 367 ++discarded; 368 } 369 } 370 371 // Output the next digit and (if necessary) compensate for the most 372 // negative integer needing special treatment. This works because, 373 // no matter the bit width of the integer, the lowest-most decimal 374 // integer always ends in 2, 4, 6, or 8. 375 if (!num && started) { 376 if (reverse_prefix > prefix) { 377 Out(*--reverse_prefix); 378 } else { 379 Out(pad); 380 } 381 } else { 382 started = true; 383 Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]); 384 } 385 386 minint = 0; 387 num /= base; 388 389 // Add padding, if requested. 390 if (padding > 0) { 391 --padding; 392 393 // Performance optimization for when we are asked to output excessive 394 // padding, but our output buffer is limited in size. Even if we output 395 // a 64bit number in binary, we would never write more than 64 plus 396 // prefix non-padding characters. So, once this limit has been passed, 397 // any further state change can be computed arithmetically; we know that 398 // by this time, our entire final output consists of padding characters 399 // that have all already been output. 400 if (discarded > 8*sizeof(num) + prefix_length) { 401 IncrementCount(padding); 402 padding = 0; 403 } 404 } 405 } while (num || padding || (reverse_prefix > prefix)); 406 407 // Conversion to ASCII actually resulted in the digits being in reverse 408 // order. We can't easily generate them in forward order, as we can't tell 409 // the number of characters needed until we are done converting. 410 // So, now, we reverse the string (except for the possible '-' sign). 411 char* front = buffer_ + start; 412 char* back = GetInsertionPoint(); 413 while (--back > front) { 414 char ch = *back; 415 *back = *front; 416 *front++ = ch; 417 } 418 419 IncrementCount(discarded); 420 return !discarded; 421 } 422 423 } // anonymous namespace 424 425 namespace internal { 426 427 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args, 428 const size_t max_args) { 429 // Make sure that at least one NUL byte can be written, and that the buffer 430 // never overflows kSSizeMax. Not only does that use up most or all of the 431 // address space, it also would result in a return code that cannot be 432 // represented. 433 if (static_cast<ssize_t>(sz) < 1) { 434 return -1; 435 } else if (sz > kSSizeMax) { 436 sz = kSSizeMax; 437 } 438 439 // Iterate over format string and interpret '%' arguments as they are 440 // encountered. 441 Buffer buffer(buf, sz); 442 size_t padding; 443 char pad; 444 for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) { 445 if (*fmt++ == '%') { 446 padding = 0; 447 pad = ' '; 448 char ch = *fmt++; 449 format_character_found: 450 switch (ch) { 451 case '0': case '1': case '2': case '3': case '4': 452 case '5': case '6': case '7': case '8': case '9': 453 // Found a width parameter. Convert to an integer value and store in 454 // "padding". If the leading digit is a zero, change the padding 455 // character from a space ' ' to a zero '0'. 456 pad = ch == '0' ? '0' : ' '; 457 for (;;) { 458 // The maximum allowed padding fills all the available address 459 // space and leaves just enough space to insert the trailing NUL. 460 const size_t max_padding = kSSizeMax - 1; 461 if (padding > max_padding/10 || 462 10*padding > max_padding - (ch - '0')) { 463 DEBUG_CHECK(padding <= max_padding/10 && 464 10*padding <= max_padding - (ch - '0')); 465 // Integer overflow detected. Skip the rest of the width until 466 // we find the format character, then do the normal error handling. 467 padding_overflow: 468 padding = max_padding; 469 while ((ch = *fmt++) >= '0' && ch <= '9') { 470 } 471 if (cur_arg < max_args) { 472 ++cur_arg; 473 } 474 goto fail_to_expand; 475 } 476 padding = 10*padding + ch - '0'; 477 if (padding > max_padding) { 478 // This doesn't happen for "sane" values of kSSizeMax. But once 479 // kSSizeMax gets smaller than about 10, our earlier range checks 480 // are incomplete. Unittests do trigger this artificial corner 481 // case. 482 DEBUG_CHECK(padding <= max_padding); 483 goto padding_overflow; 484 } 485 ch = *fmt++; 486 if (ch < '0' || ch > '9') { 487 // Reached the end of the width parameter. This is where the format 488 // character is found. 489 goto format_character_found; 490 } 491 } 492 break; 493 case 'c': { // Output an ASCII character. 494 // Check that there are arguments left to be inserted. 495 if (cur_arg >= max_args) { 496 DEBUG_CHECK(cur_arg < max_args); 497 goto fail_to_expand; 498 } 499 500 // Check that the argument has the expected type. 501 const Arg& arg = args[cur_arg++]; 502 if (arg.type != Arg::INT && arg.type != Arg::UINT) { 503 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT); 504 goto fail_to_expand; 505 } 506 507 // Apply padding, if needed. 508 buffer.Pad(' ', padding, 1); 509 510 // Convert the argument to an ASCII character and output it. 511 char ch = static_cast<char>(arg.i); 512 if (!ch) { 513 goto end_of_output_buffer; 514 } 515 buffer.Out(ch); 516 break; } 517 case 'd': // Output a possibly signed decimal value. 518 case 'o': // Output an unsigned octal value. 519 case 'x': // Output an unsigned hexadecimal value. 520 case 'X': 521 case 'p': { // Output a pointer value. 522 // Check that there are arguments left to be inserted. 523 if (cur_arg >= max_args) { 524 DEBUG_CHECK(cur_arg < max_args); 525 goto fail_to_expand; 526 } 527 528 const Arg& arg = args[cur_arg++]; 529 int64_t i; 530 const char* prefix = NULL; 531 if (ch != 'p') { 532 // Check that the argument has the expected type. 533 if (arg.type != Arg::INT && arg.type != Arg::UINT) { 534 DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT); 535 goto fail_to_expand; 536 } 537 i = arg.i; 538 539 if (ch != 'd') { 540 // The Arg() constructor automatically performed sign expansion on 541 // signed parameters. This is great when outputting a %d decimal 542 // number, but can result in unexpected leading 0xFF bytes when 543 // outputting a %x hexadecimal number. Mask bits, if necessary. 544 // We have to do this here, instead of in the Arg() constructor, as 545 // the Arg() constructor cannot tell whether we will output a %d 546 // or a %x. Only the latter should experience masking. 547 if (arg.width < sizeof(int64_t)) { 548 i &= (1LL << (8*arg.width)) - 1; 549 } 550 } 551 } else { 552 // Pointer values require an actual pointer or a string. 553 if (arg.type == Arg::POINTER) { 554 i = reinterpret_cast<uintptr_t>(arg.ptr); 555 } else if (arg.type == Arg::STRING) { 556 i = reinterpret_cast<uintptr_t>(arg.str); 557 } else if (arg.type == Arg::INT && arg.width == sizeof(NULL) && 558 arg.i == 0) { // Allow C++'s version of NULL 559 i = 0; 560 } else { 561 DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING); 562 goto fail_to_expand; 563 } 564 565 // Pointers always include the "0x" prefix. 566 prefix = "0x"; 567 } 568 569 // Use IToASCII() to convert to ASCII representation. For decimal 570 // numbers, optionally print a sign. For hexadecimal numbers, 571 // distinguish between upper and lower case. %p addresses are always 572 // printed as upcase. Supports base 8, 10, and 16. Prints padding 573 // and/or prefixes, if so requested. 574 buffer.IToASCII(ch == 'd' && arg.type == Arg::INT, 575 ch != 'x', i, 576 ch == 'o' ? 8 : ch == 'd' ? 10 : 16, 577 pad, padding, prefix); 578 break; } 579 case 's': { 580 // Check that there are arguments left to be inserted. 581 if (cur_arg >= max_args) { 582 DEBUG_CHECK(cur_arg < max_args); 583 goto fail_to_expand; 584 } 585 586 // Check that the argument has the expected type. 587 const Arg& arg = args[cur_arg++]; 588 const char *s; 589 if (arg.type == Arg::STRING) { 590 s = arg.str ? arg.str : "<NULL>"; 591 } else if (arg.type == Arg::INT && arg.width == sizeof(NULL) && 592 arg.i == 0) { // Allow C++'s version of NULL 593 s = "<NULL>"; 594 } else { 595 DEBUG_CHECK(arg.type == Arg::STRING); 596 goto fail_to_expand; 597 } 598 599 // Apply padding, if needed. This requires us to first check the 600 // length of the string that we are outputting. 601 if (padding) { 602 size_t len = 0; 603 for (const char* src = s; *src++; ) { 604 ++len; 605 } 606 buffer.Pad(' ', padding, len); 607 } 608 609 // Printing a string involves nothing more than copying it into the 610 // output buffer and making sure we don't output more bytes than 611 // available space; Out() takes care of doing that. 612 for (const char* src = s; *src; ) { 613 buffer.Out(*src++); 614 } 615 break; } 616 case '%': 617 // Quoted percent '%' character. 618 goto copy_verbatim; 619 fail_to_expand: 620 // C++ gives us tools to do type checking -- something that snprintf() 621 // could never really do. So, whenever we see arguments that don't 622 // match up with the format string, we refuse to output them. But 623 // since we have to be extremely conservative about being async- 624 // signal-safe, we are limited in the type of error handling that we 625 // can do in production builds (in debug builds we can use 626 // DEBUG_CHECK() and hope for the best). So, all we do is pass the 627 // format string unchanged. That should eventually get the user's 628 // attention; and in the meantime, it hopefully doesn't lose too much 629 // data. 630 default: 631 // Unknown or unsupported format character. Just copy verbatim to 632 // output. 633 buffer.Out('%'); 634 DEBUG_CHECK(ch); 635 if (!ch) { 636 goto end_of_format_string; 637 } 638 buffer.Out(ch); 639 break; 640 } 641 } else { 642 copy_verbatim: 643 buffer.Out(fmt[-1]); 644 } 645 } 646 end_of_format_string: 647 end_of_output_buffer: 648 return buffer.GetCount(); 649 } 650 651 } // namespace internal 652 653 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) { 654 // Make sure that at least one NUL byte can be written, and that the buffer 655 // never overflows kSSizeMax. Not only does that use up most or all of the 656 // address space, it also would result in a return code that cannot be 657 // represented. 658 if (static_cast<ssize_t>(sz) < 1) { 659 return -1; 660 } else if (sz > kSSizeMax) { 661 sz = kSSizeMax; 662 } 663 664 Buffer buffer(buf, sz); 665 666 // In the slow-path, we deal with errors by copying the contents of 667 // "fmt" unexpanded. This means, if there are no arguments passed, the 668 // SafeSPrintf() function always degenerates to a version of strncpy() that 669 // de-duplicates '%' characters. 670 const char* src = fmt; 671 for (; *src; ++src) { 672 buffer.Out(*src); 673 DEBUG_CHECK(src[0] != '%' || src[1] == '%'); 674 if (src[0] == '%' && src[1] == '%') { 675 ++src; 676 } 677 } 678 return buffer.GetCount(); 679 } 680 681 } // namespace strings 682 } // namespace base 683
