1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/strings/safe_sprintf.h" 6 7 #include <stdio.h> 8 #include <string.h> 9 10 #include <limits> 11 12 #include "base/logging.h" 13 #include "base/memory/scoped_ptr.h" 14 #include "testing/gtest/include/gtest/gtest.h" 15 16 // Death tests on Android are currently very flaky. No need to add more flaky 17 // tests, as they just make it hard to spot real problems. 18 // TODO(markus): See if the restrictions on Android can eventually be lifted. 19 #if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID) 20 #define ALLOW_DEATH_TEST 21 #endif 22 23 namespace base { 24 namespace strings { 25 26 TEST(SafeSPrintfTest, Empty) { 27 char buf[2] = { 'X', 'X' }; 28 29 // Negative buffer size should always result in an error. 30 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), "")); 31 EXPECT_EQ('X', buf[0]); 32 EXPECT_EQ('X', buf[1]); 33 34 // Zero buffer size should always result in an error. 35 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, "")); 36 EXPECT_EQ('X', buf[0]); 37 EXPECT_EQ('X', buf[1]); 38 39 // A one-byte buffer should always print a single NUL byte. 40 EXPECT_EQ(0, SafeSNPrintf(buf, 1, "")); 41 EXPECT_EQ(0, buf[0]); 42 EXPECT_EQ('X', buf[1]); 43 buf[0] = 'X'; 44 45 // A larger buffer should leave the trailing bytes unchanged. 46 EXPECT_EQ(0, SafeSNPrintf(buf, 2, "")); 47 EXPECT_EQ(0, buf[0]); 48 EXPECT_EQ('X', buf[1]); 49 buf[0] = 'X'; 50 51 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 52 EXPECT_EQ(0, SafeSPrintf(buf, "")); 53 EXPECT_EQ(0, buf[0]); 54 EXPECT_EQ('X', buf[1]); 55 buf[0] = 'X'; 56 } 57 58 TEST(SafeSPrintfTest, NoArguments) { 59 // Output a text message that doesn't require any substitutions. This 60 // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does 61 // always add a trailing NUL; it always deduplicates '%' characters). 62 static const char text[] = "hello world"; 63 char ref[20], buf[20]; 64 memset(ref, 'X', sizeof(char) * arraysize(buf)); 65 memcpy(buf, ref, sizeof(buf)); 66 67 // A negative buffer size should always result in an error. 68 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text)); 69 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 70 71 // Zero buffer size should always result in an error. 72 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text)); 73 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 74 75 // A one-byte buffer should always print a single NUL byte. 76 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text)); 77 EXPECT_EQ(0, buf[0]); 78 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 79 memcpy(buf, ref, sizeof(buf)); 80 81 // A larger (but limited) buffer should always leave the trailing bytes 82 // unchanged. 83 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text)); 84 EXPECT_EQ(text[0], buf[0]); 85 EXPECT_EQ(0, buf[1]); 86 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 87 memcpy(buf, ref, sizeof(buf)); 88 89 // A unrestricted buffer length should always leave the trailing bytes 90 // unchanged. 91 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 92 SafeSNPrintf(buf, sizeof(buf), text)); 93 EXPECT_EQ(std::string(text), std::string(buf)); 94 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 95 sizeof(buf) - sizeof(text))); 96 memcpy(buf, ref, sizeof(buf)); 97 98 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 99 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text)); 100 EXPECT_EQ(std::string(text), std::string(buf)); 101 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 102 sizeof(buf) - sizeof(text))); 103 memcpy(buf, ref, sizeof(buf)); 104 105 // Check for deduplication of '%' percent characters. 106 EXPECT_EQ(1, SafeSPrintf(buf, "%%")); 107 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%")); 108 EXPECT_EQ(2, SafeSPrintf(buf, "%%X")); 109 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X")); 110 #if defined(NDEBUG) 111 EXPECT_EQ(1, SafeSPrintf(buf, "%")); 112 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 113 EXPECT_EQ(2, SafeSPrintf(buf, "%X")); 114 EXPECT_EQ(3, SafeSPrintf(buf, "%%%X")); 115 #elif defined(ALLOW_DEATH_TEST) 116 EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'"); 117 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 118 EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'"); 119 EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'"); 120 #endif 121 } 122 123 TEST(SafeSPrintfTest, OneArgument) { 124 // Test basic single-argument single-character substitution. 125 const char text[] = "hello world"; 126 const char fmt[] = "hello%cworld"; 127 char ref[20], buf[20]; 128 memset(ref, 'X', sizeof(buf)); 129 memcpy(buf, ref, sizeof(buf)); 130 131 // A negative buffer size should always result in an error. 132 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' ')); 133 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 134 135 // Zero buffer size should always result in an error. 136 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' ')); 137 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 138 139 // A one-byte buffer should always print a single NUL byte. 140 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 141 SafeSNPrintf(buf, 1, fmt, ' ')); 142 EXPECT_EQ(0, buf[0]); 143 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 144 memcpy(buf, ref, sizeof(buf)); 145 146 // A larger (but limited) buffer should always leave the trailing bytes 147 // unchanged. 148 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 149 SafeSNPrintf(buf, 2, fmt, ' ')); 150 EXPECT_EQ(text[0], buf[0]); 151 EXPECT_EQ(0, buf[1]); 152 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 153 memcpy(buf, ref, sizeof(buf)); 154 155 // A unrestricted buffer length should always leave the trailing bytes 156 // unchanged. 157 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 158 SafeSNPrintf(buf, sizeof(buf), fmt, ' ')); 159 EXPECT_EQ(std::string(text), std::string(buf)); 160 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 161 sizeof(buf) - sizeof(text))); 162 memcpy(buf, ref, sizeof(buf)); 163 164 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 165 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' ')); 166 EXPECT_EQ(std::string(text), std::string(buf)); 167 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 168 sizeof(buf) - sizeof(text))); 169 memcpy(buf, ref, sizeof(buf)); 170 171 // Check for deduplication of '%' percent characters. 172 EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0)); 173 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0)); 174 EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0)); 175 EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0)); 176 EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0)); 177 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0)); 178 #if defined(NDEBUG) 179 EXPECT_EQ(1, SafeSPrintf(buf, "%", 0)); 180 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 181 #elif defined(ALLOW_DEATH_TEST) 182 EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch"); 183 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 184 #endif 185 } 186 187 TEST(SafeSPrintfTest, MissingArg) { 188 #if defined(NDEBUG) 189 char buf[20]; 190 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A')); 191 EXPECT_EQ("A%c", std::string(buf)); 192 #elif defined(ALLOW_DEATH_TEST) 193 char buf[20]; 194 EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args"); 195 #endif 196 } 197 198 TEST(SafeSPrintfTest, ASANFriendlyBufferTest) { 199 // Print into a buffer that is sized exactly to size. ASAN can verify that 200 // nobody attempts to write past the end of the buffer. 201 // There is a more complicated test in PrintLongString() that covers a lot 202 // more edge case, but it is also harder to debug in case of a failure. 203 const char kTestString[] = "This is a test"; 204 scoped_ptr<char[]> buf(new char[sizeof(kTestString)]); 205 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 206 SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString)); 207 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 208 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 209 SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString)); 210 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 211 } 212 213 TEST(SafeSPrintfTest, NArgs) { 214 // Pre-C++11 compilers have a different code path, that can only print 215 // up to ten distinct arguments. 216 // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't 217 // have typos in the copy-n-pasted code that is needed to deal with various 218 // numbers of arguments. 219 char buf[12]; 220 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1)); 221 EXPECT_EQ("\1", std::string(buf)); 222 EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2)); 223 EXPECT_EQ("\1\2", std::string(buf)); 224 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3)); 225 EXPECT_EQ("\1\2\3", std::string(buf)); 226 EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4)); 227 EXPECT_EQ("\1\2\3\4", std::string(buf)); 228 EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 229 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 230 EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 231 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 232 EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 233 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 234 EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8)); 235 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 236 EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c", 237 1, 2, 3, 4, 5, 6, 7, 8, 9)); 238 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 239 EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c", 240 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 241 242 // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf(). 243 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 244 EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1)); 245 EXPECT_EQ("\1", std::string(buf)); 246 EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2)); 247 EXPECT_EQ("\1\2", std::string(buf)); 248 EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3)); 249 EXPECT_EQ("\1\2\3", std::string(buf)); 250 EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4)); 251 EXPECT_EQ("\1\2\3\4", std::string(buf)); 252 EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 253 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 254 EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 255 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 256 EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 257 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 258 EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c", 259 1, 2, 3, 4, 5, 6, 7, 8)); 260 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 261 EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c", 262 1, 2, 3, 4, 5, 6, 7, 8, 9)); 263 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 264 EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c", 265 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 266 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 267 } 268 269 TEST(SafeSPrintfTest, DataTypes) { 270 char buf[40]; 271 272 // Bytes 273 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1)); 274 EXPECT_EQ("1", std::string(buf)); 275 EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1)); 276 EXPECT_EQ("255", std::string(buf)); 277 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1)); 278 EXPECT_EQ("1", std::string(buf)); 279 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1)); 280 EXPECT_EQ("-1", std::string(buf)); 281 EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128)); 282 EXPECT_EQ("-128", std::string(buf)); 283 284 // Half-words 285 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1)); 286 EXPECT_EQ("1", std::string(buf)); 287 EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1)); 288 EXPECT_EQ("65535", std::string(buf)); 289 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1)); 290 EXPECT_EQ("1", std::string(buf)); 291 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1)); 292 EXPECT_EQ("-1", std::string(buf)); 293 EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768)); 294 EXPECT_EQ("-32768", std::string(buf)); 295 296 // Words 297 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1)); 298 EXPECT_EQ("1", std::string(buf)); 299 EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1)); 300 EXPECT_EQ("4294967295", std::string(buf)); 301 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1)); 302 EXPECT_EQ("1", std::string(buf)); 303 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1)); 304 EXPECT_EQ("-1", std::string(buf)); 305 // Work-around for an limitation of C90 306 EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1)); 307 EXPECT_EQ("-2147483648", std::string(buf)); 308 309 // Quads 310 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1)); 311 EXPECT_EQ("1", std::string(buf)); 312 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1)); 313 EXPECT_EQ("18446744073709551615", std::string(buf)); 314 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1)); 315 EXPECT_EQ("1", std::string(buf)); 316 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1)); 317 EXPECT_EQ("-1", std::string(buf)); 318 // Work-around for an limitation of C90 319 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1)); 320 EXPECT_EQ("-9223372036854775808", std::string(buf)); 321 322 // Strings (both const and mutable). 323 EXPECT_EQ(4, SafeSPrintf(buf, "test")); 324 EXPECT_EQ("test", std::string(buf)); 325 EXPECT_EQ(4, SafeSPrintf(buf, buf)); 326 EXPECT_EQ("test", std::string(buf)); 327 328 // Pointer 329 char addr[20]; 330 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 331 SafeSPrintf(buf, "%p", buf); 332 EXPECT_EQ(std::string(addr), std::string(buf)); 333 SafeSPrintf(buf, "%p", (const char *)buf); 334 EXPECT_EQ(std::string(addr), std::string(buf)); 335 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf); 336 SafeSPrintf(buf, "%p", sprintf); 337 EXPECT_EQ(std::string(addr), std::string(buf)); 338 339 // Padding for pointers is a little more complicated because of the "0x" 340 // prefix. Padding with '0' zeros is relatively straight-forward, but 341 // padding with ' ' spaces requires more effort. 342 sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf); 343 SafeSPrintf(buf, "%019p", buf); 344 EXPECT_EQ(std::string(addr), std::string(buf)); 345 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 346 memset(addr, ' ', 347 (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1, 348 addr, strlen(addr)+1) - addr); 349 SafeSPrintf(buf, "%19p", buf); 350 EXPECT_EQ(std::string(addr), std::string(buf)); 351 } 352 353 namespace { 354 void PrintLongString(char* buf, size_t sz) { 355 // Output a reasonably complex expression into a limited-size buffer. 356 // At least one byte is available for writing the NUL character. 357 CHECK_GT(sz, static_cast<size_t>(0)); 358 359 // Allocate slightly more space, so that we can verify that SafeSPrintf() 360 // never writes past the end of the buffer. 361 scoped_ptr<char[]> tmp(new char[sz+2]); 362 memset(tmp.get(), 'X', sz+2); 363 364 // Use SafeSPrintf() to output a complex list of arguments: 365 // - test padding and truncating %c single characters. 366 // - test truncating %s simple strings. 367 // - test mismatching arguments and truncating (for %d != %s). 368 // - test zero-padding and truncating %x hexadecimal numbers. 369 // - test outputting and truncating %d MININT. 370 // - test outputting and truncating %p arbitrary pointer values. 371 // - test outputting, padding and truncating NULL-pointer %s strings. 372 char* out = tmp.get(); 373 size_t out_sz = sz; 374 size_t len; 375 for (scoped_ptr<char[]> perfect_buf;;) { 376 size_t needed = SafeSNPrintf(out, out_sz, 377 #if defined(NDEBUG) 378 "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "", 379 #else 380 "A%2cong %s: %%d %010X %d %p%7s", 'l', "string", 381 #endif 382 0xDEADBEEF, std::numeric_limits<intptr_t>::min(), 383 PrintLongString, static_cast<char*>(NULL)) + 1; 384 385 // Various sanity checks: 386 // The numbered of characters needed to print the full string should always 387 // be bigger or equal to the bytes that have actually been output. 388 len = strlen(tmp.get()); 389 CHECK_GE(needed, len+1); 390 391 // The number of characters output should always fit into the buffer that 392 // was passed into SafeSPrintf(). 393 CHECK_LT(len, out_sz); 394 395 // The output is always terminated with a NUL byte (actually, this test is 396 // always going to pass, as strlen() already verified this) 397 EXPECT_FALSE(tmp[len]); 398 399 // ASAN can check that we are not overwriting buffers, iff we make sure the 400 // buffer is exactly the size that we are expecting to be written. After 401 // running SafeSNPrintf() the first time, it is possible to compute the 402 // correct buffer size for this test. So, allocate a second buffer and run 403 // the exact same SafeSNPrintf() command again. 404 if (!perfect_buf.get()) { 405 out_sz = std::min(needed, sz); 406 out = new char[out_sz]; 407 perfect_buf.reset(out); 408 } else { 409 break; 410 } 411 } 412 413 // All trailing bytes are unchanged. 414 for (size_t i = len+1; i < sz+2; ++i) 415 EXPECT_EQ('X', tmp[i]); 416 417 // The text that was generated by SafeSPrintf() should always match the 418 // equivalent text generated by sprintf(). Please note that the format 419 // string for sprintf() is not complicated, as it does not have the 420 // benefit of getting type information from the C++ compiler. 421 // 422 // N.B.: It would be so much cleaner to use snprintf(). But unfortunately, 423 // Visual Studio doesn't support this function, and the work-arounds 424 // are all really awkward. 425 char ref[256]; 426 CHECK_LE(sz, sizeof(ref)); 427 sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>", 428 static_cast<long long>(std::numeric_limits<intptr_t>::min()), 429 static_cast<unsigned long long>( 430 reinterpret_cast<uintptr_t>(PrintLongString))); 431 ref[sz-1] = '\000'; 432 433 #if defined(NDEBUG) 434 const size_t kSSizeMax = std::numeric_limits<ssize_t>::max(); 435 #else 436 const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest(); 437 #endif 438 439 // Compare the output from SafeSPrintf() to the one from sprintf(). 440 EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get())); 441 442 // We allocated a slightly larger buffer, so that we could perform some 443 // extra sanity checks. Now that the tests have all passed, we copy the 444 // data to the output buffer that the caller provided. 445 memcpy(buf, tmp.get(), len+1); 446 } 447 448 #if !defined(NDEBUG) 449 class ScopedSafeSPrintfSSizeMaxSetter { 450 public: 451 ScopedSafeSPrintfSSizeMaxSetter(size_t sz) { 452 old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest(); 453 internal::SetSafeSPrintfSSizeMaxForTest(sz); 454 } 455 456 ~ScopedSafeSPrintfSSizeMaxSetter() { 457 internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_); 458 } 459 460 private: 461 size_t old_ssize_max_; 462 463 DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter); 464 }; 465 #endif 466 467 } // anonymous namespace 468 469 TEST(SafeSPrintfTest, Truncation) { 470 // We use PrintLongString() to print a complex long string and then 471 // truncate to all possible lengths. This ends up exercising a lot of 472 // different code paths in SafeSPrintf() and IToASCII(), as truncation can 473 // happen in a lot of different states. 474 char ref[256]; 475 PrintLongString(ref, sizeof(ref)); 476 for (size_t i = strlen(ref)+1; i; --i) { 477 char buf[sizeof(ref)]; 478 PrintLongString(buf, i); 479 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 480 } 481 482 // When compiling in debug mode, we have the ability to fake a small 483 // upper limit for the maximum value that can be stored in an ssize_t. 484 // SafeSPrintf() uses this upper limit to determine how many bytes it will 485 // write to the buffer, even if the caller claimed a bigger buffer size. 486 // Repeat the truncation test and verify that this other code path in 487 // SafeSPrintf() works correctly, too. 488 #if !defined(NDEBUG) 489 for (size_t i = strlen(ref)+1; i > 1; --i) { 490 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i); 491 char buf[sizeof(ref)]; 492 PrintLongString(buf, sizeof(buf)); 493 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 494 } 495 496 // kSSizeMax is also used to constrain the maximum amount of padding, before 497 // SafeSPrintf() detects an error in the format string. 498 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100); 499 char buf[256]; 500 EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' ')); 501 EXPECT_EQ(std::string(99, ' '), std::string(buf)); 502 *buf = '\000'; 503 #if defined(ALLOW_DEATH_TEST) 504 EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding"); 505 #endif 506 EXPECT_EQ(0, *buf); 507 #endif 508 } 509 510 TEST(SafeSPrintfTest, Padding) { 511 char buf[40], fmt[40]; 512 513 // Chars %c 514 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A')); 515 EXPECT_EQ("A", std::string(buf)); 516 EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A')); 517 EXPECT_EQ(" A", std::string(buf)); 518 EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A')); 519 EXPECT_EQ(" A", std::string(buf)); 520 EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A')); 521 EXPECT_EQ("%-2c", std::string(buf)); 522 SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1); 523 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A')); 524 SafeSPrintf(fmt, "%%%dc", 525 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 526 #if defined(NDEBUG) 527 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A')); 528 EXPECT_EQ("%c", std::string(buf)); 529 #elif defined(ALLOW_DEATH_TEST) 530 EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding"); 531 #endif 532 533 // Octal %o 534 EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1)); 535 EXPECT_EQ("1", std::string(buf)); 536 EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1)); 537 EXPECT_EQ(" 1", std::string(buf)); 538 EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1)); 539 EXPECT_EQ("01", std::string(buf)); 540 EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1)); 541 EXPECT_EQ(" 37777777777", std::string(buf)); 542 EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1)); 543 EXPECT_EQ("037777777777", std::string(buf)); 544 EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL)); 545 EXPECT_EQ(" 1777777777777777777777", std::string(buf)); 546 EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL)); 547 EXPECT_EQ("01777777777777777777777", std::string(buf)); 548 EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111)); 549 EXPECT_EQ("111", std::string(buf)); 550 EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1)); 551 EXPECT_EQ("%-2o", std::string(buf)); 552 SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1); 553 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 554 SafeSNPrintf(buf, 4, fmt, 1)); 555 EXPECT_EQ(" ", std::string(buf)); 556 SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1); 557 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 558 SafeSNPrintf(buf, 4, fmt, 1)); 559 EXPECT_EQ("000", std::string(buf)); 560 SafeSPrintf(fmt, "%%%do", 561 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 562 #if defined(NDEBUG) 563 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 564 EXPECT_EQ("%o", std::string(buf)); 565 #elif defined(ALLOW_DEATH_TEST) 566 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 567 #endif 568 569 // Decimals %d 570 EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1)); 571 EXPECT_EQ("1", std::string(buf)); 572 EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1)); 573 EXPECT_EQ(" 1", std::string(buf)); 574 EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1)); 575 EXPECT_EQ("01", std::string(buf)); 576 EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1)); 577 EXPECT_EQ(" -1", std::string(buf)); 578 EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1)); 579 EXPECT_EQ("-01", std::string(buf)); 580 EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111)); 581 EXPECT_EQ("111", std::string(buf)); 582 EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111)); 583 EXPECT_EQ("-111", std::string(buf)); 584 EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1)); 585 EXPECT_EQ("%-2d", std::string(buf)); 586 SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1); 587 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 588 SafeSNPrintf(buf, 4, fmt, 1)); 589 EXPECT_EQ(" ", std::string(buf)); 590 SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1); 591 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 592 SafeSNPrintf(buf, 4, fmt, 1)); 593 EXPECT_EQ("000", std::string(buf)); 594 SafeSPrintf(fmt, "%%%dd", 595 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 596 #if defined(NDEBUG) 597 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 598 EXPECT_EQ("%d", std::string(buf)); 599 #elif defined(ALLOW_DEATH_TEST) 600 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 601 #endif 602 603 // Hex %X 604 EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1)); 605 EXPECT_EQ("1", std::string(buf)); 606 EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1)); 607 EXPECT_EQ(" 1", std::string(buf)); 608 EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1)); 609 EXPECT_EQ("01", std::string(buf)); 610 EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1)); 611 EXPECT_EQ(" FFFFFFFF", std::string(buf)); 612 EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1)); 613 EXPECT_EQ("0FFFFFFFF", std::string(buf)); 614 EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL)); 615 EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf)); 616 EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL)); 617 EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf)); 618 EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111)); 619 EXPECT_EQ("111", std::string(buf)); 620 EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1)); 621 EXPECT_EQ("%-2X", std::string(buf)); 622 SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1); 623 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 624 SafeSNPrintf(buf, 4, fmt, 1)); 625 EXPECT_EQ(" ", std::string(buf)); 626 SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1); 627 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 628 SafeSNPrintf(buf, 4, fmt, 1)); 629 EXPECT_EQ("000", std::string(buf)); 630 SafeSPrintf(fmt, "%%%dX", 631 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 632 #if defined(NDEBUG) 633 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 634 EXPECT_EQ("%X", std::string(buf)); 635 #elif defined(ALLOW_DEATH_TEST) 636 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 637 #endif 638 639 // Pointer %p 640 EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1)); 641 EXPECT_EQ("0x1", std::string(buf)); 642 EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1)); 643 EXPECT_EQ(" 0x1", std::string(buf)); 644 EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1)); 645 EXPECT_EQ("0x01", std::string(buf)); 646 EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111)); 647 EXPECT_EQ("0x111", std::string(buf)); 648 EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1)); 649 EXPECT_EQ("%-2p", std::string(buf)); 650 SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1); 651 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 652 SafeSNPrintf(buf, 4, fmt, (void*)1)); 653 EXPECT_EQ(" ", std::string(buf)); 654 SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1); 655 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 656 SafeSNPrintf(buf, 4, fmt, (void*)1)); 657 EXPECT_EQ("0x0", std::string(buf)); 658 SafeSPrintf(fmt, "%%%dp", 659 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 660 #if defined(NDEBUG) 661 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 662 EXPECT_EQ("%p", std::string(buf)); 663 #elif defined(ALLOW_DEATH_TEST) 664 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 665 #endif 666 667 // String 668 EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A")); 669 EXPECT_EQ("A", std::string(buf)); 670 EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A")); 671 EXPECT_EQ(" A", std::string(buf)); 672 EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A")); 673 EXPECT_EQ(" A", std::string(buf)); 674 EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA")); 675 EXPECT_EQ("AAA", std::string(buf)); 676 EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A")); 677 EXPECT_EQ("%-2s", std::string(buf)); 678 SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1); 679 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 680 SafeSNPrintf(buf, 4, fmt, "A")); 681 EXPECT_EQ(" ", std::string(buf)); 682 SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1); 683 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 684 SafeSNPrintf(buf, 4, fmt, "A")); 685 EXPECT_EQ(" ", std::string(buf)); 686 SafeSPrintf(fmt, "%%%ds", 687 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 688 #if defined(NDEBUG) 689 EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A")); 690 EXPECT_EQ("%s", std::string(buf)); 691 #elif defined(ALLOW_DEATH_TEST) 692 EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding"); 693 #endif 694 } 695 696 TEST(SafeSPrintfTest, EmbeddedNul) { 697 char buf[] = { 'X', 'X', 'X', 'X' }; 698 EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0)); 699 EXPECT_EQ(' ', buf[0]); 700 EXPECT_EQ(' ', buf[1]); 701 EXPECT_EQ(0, buf[2]); 702 EXPECT_EQ('X', buf[3]); 703 704 // Check handling of a NUL format character. N.B. this takes two different 705 // code paths depending on whether we are actually passing arguments. If 706 // we don't have any arguments, we are running in the fast-path code, that 707 // looks (almost) like a strncpy(). 708 #if defined(NDEBUG) 709 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 710 EXPECT_EQ("%%", std::string(buf)); 711 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 712 EXPECT_EQ("%%", std::string(buf)); 713 #elif defined(ALLOW_DEATH_TEST) 714 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 715 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 716 #endif 717 } 718 719 TEST(SafeSPrintfTest, EmitNULL) { 720 char buf[40]; 721 #if defined(__GNUC__) 722 #pragma GCC diagnostic push 723 #pragma GCC diagnostic ignored "-Wconversion-null" 724 #endif 725 EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL)); 726 EXPECT_EQ("0", std::string(buf)); 727 EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL)); 728 EXPECT_EQ("0x0", std::string(buf)); 729 EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL)); 730 EXPECT_EQ("<NULL>", std::string(buf)); 731 #if defined(__GCC__) 732 #pragma GCC diagnostic pop 733 #endif 734 } 735 736 TEST(SafeSPrintfTest, PointerSize) { 737 // The internal data representation is a 64bit value, independent of the 738 // native word size. We want to perform sign-extension for signed integers, 739 // but we want to avoid doing so for pointer types. This could be a 740 // problem on systems, where pointers are only 32bit. This tests verifies 741 // that there is no such problem. 742 char *str = reinterpret_cast<char *>(0x80000000u); 743 void *ptr = str; 744 char buf[40]; 745 EXPECT_EQ(10, SafeSPrintf(buf, "%p", str)); 746 EXPECT_EQ("0x80000000", std::string(buf)); 747 EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr)); 748 EXPECT_EQ("0x80000000", std::string(buf)); 749 } 750 751 } // namespace strings 752 } // namespace base 753
