1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/strings/safe_sprintf.h" 6 7 #include <stddef.h> 8 #include <stdint.h> 9 #include <stdio.h> 10 #include <string.h> 11 12 #include <limits> 13 #include <memory> 14 15 #include "base/logging.h" 16 #include "base/macros.h" 17 #include "build/build_config.h" 18 #include "testing/gtest/include/gtest/gtest.h" 19 20 // Death tests on Android are currently very flaky. No need to add more flaky 21 // tests, as they just make it hard to spot real problems. 22 // TODO(markus): See if the restrictions on Android can eventually be lifted. 23 #if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID) 24 #define ALLOW_DEATH_TEST 25 #endif 26 27 namespace base { 28 namespace strings { 29 30 TEST(SafeSPrintfTest, Empty) { 31 char buf[2] = { 'X', 'X' }; 32 33 // Negative buffer size should always result in an error. 34 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), "")); 35 EXPECT_EQ('X', buf[0]); 36 EXPECT_EQ('X', buf[1]); 37 38 // Zero buffer size should always result in an error. 39 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, "")); 40 EXPECT_EQ('X', buf[0]); 41 EXPECT_EQ('X', buf[1]); 42 43 // A one-byte buffer should always print a single NUL byte. 44 EXPECT_EQ(0, SafeSNPrintf(buf, 1, "")); 45 EXPECT_EQ(0, buf[0]); 46 EXPECT_EQ('X', buf[1]); 47 buf[0] = 'X'; 48 49 // A larger buffer should leave the trailing bytes unchanged. 50 EXPECT_EQ(0, SafeSNPrintf(buf, 2, "")); 51 EXPECT_EQ(0, buf[0]); 52 EXPECT_EQ('X', buf[1]); 53 buf[0] = 'X'; 54 55 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 56 EXPECT_EQ(0, SafeSPrintf(buf, "")); 57 EXPECT_EQ(0, buf[0]); 58 EXPECT_EQ('X', buf[1]); 59 buf[0] = 'X'; 60 } 61 62 TEST(SafeSPrintfTest, NoArguments) { 63 // Output a text message that doesn't require any substitutions. This 64 // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does 65 // always add a trailing NUL; it always deduplicates '%' characters). 66 static const char text[] = "hello world"; 67 char ref[20], buf[20]; 68 memset(ref, 'X', sizeof(ref)); 69 memcpy(buf, ref, sizeof(buf)); 70 71 // A negative buffer size should always result in an error. 72 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text)); 73 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 74 75 // Zero buffer size should always result in an error. 76 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text)); 77 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 78 79 // A one-byte buffer should always print a single NUL byte. 80 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text)); 81 EXPECT_EQ(0, buf[0]); 82 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 83 memcpy(buf, ref, sizeof(buf)); 84 85 // A larger (but limited) buffer should always leave the trailing bytes 86 // unchanged. 87 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text)); 88 EXPECT_EQ(text[0], buf[0]); 89 EXPECT_EQ(0, buf[1]); 90 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 91 memcpy(buf, ref, sizeof(buf)); 92 93 // A unrestricted buffer length should always leave the trailing bytes 94 // unchanged. 95 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 96 SafeSNPrintf(buf, sizeof(buf), text)); 97 EXPECT_EQ(std::string(text), std::string(buf)); 98 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 99 sizeof(buf) - sizeof(text))); 100 memcpy(buf, ref, sizeof(buf)); 101 102 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 103 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text)); 104 EXPECT_EQ(std::string(text), std::string(buf)); 105 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 106 sizeof(buf) - sizeof(text))); 107 memcpy(buf, ref, sizeof(buf)); 108 109 // Check for deduplication of '%' percent characters. 110 EXPECT_EQ(1, SafeSPrintf(buf, "%%")); 111 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%")); 112 EXPECT_EQ(2, SafeSPrintf(buf, "%%X")); 113 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X")); 114 #if defined(NDEBUG) 115 EXPECT_EQ(1, SafeSPrintf(buf, "%")); 116 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 117 EXPECT_EQ(2, SafeSPrintf(buf, "%X")); 118 EXPECT_EQ(3, SafeSPrintf(buf, "%%%X")); 119 #elif defined(ALLOW_DEATH_TEST) 120 EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'"); 121 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 122 EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'"); 123 EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'"); 124 #endif 125 } 126 127 TEST(SafeSPrintfTest, OneArgument) { 128 // Test basic single-argument single-character substitution. 129 const char text[] = "hello world"; 130 const char fmt[] = "hello%cworld"; 131 char ref[20], buf[20]; 132 memset(ref, 'X', sizeof(buf)); 133 memcpy(buf, ref, sizeof(buf)); 134 135 // A negative buffer size should always result in an error. 136 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' ')); 137 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 138 139 // Zero buffer size should always result in an error. 140 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' ')); 141 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 142 143 // A one-byte buffer should always print a single NUL byte. 144 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 145 SafeSNPrintf(buf, 1, fmt, ' ')); 146 EXPECT_EQ(0, buf[0]); 147 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 148 memcpy(buf, ref, sizeof(buf)); 149 150 // A larger (but limited) buffer should always leave the trailing bytes 151 // unchanged. 152 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 153 SafeSNPrintf(buf, 2, fmt, ' ')); 154 EXPECT_EQ(text[0], buf[0]); 155 EXPECT_EQ(0, buf[1]); 156 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 157 memcpy(buf, ref, sizeof(buf)); 158 159 // A unrestricted buffer length should always leave the trailing bytes 160 // unchanged. 161 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 162 SafeSNPrintf(buf, sizeof(buf), fmt, ' ')); 163 EXPECT_EQ(std::string(text), std::string(buf)); 164 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 165 sizeof(buf) - sizeof(text))); 166 memcpy(buf, ref, sizeof(buf)); 167 168 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 169 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' ')); 170 EXPECT_EQ(std::string(text), std::string(buf)); 171 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 172 sizeof(buf) - sizeof(text))); 173 memcpy(buf, ref, sizeof(buf)); 174 175 // Check for deduplication of '%' percent characters. 176 EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0)); 177 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0)); 178 EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0)); 179 EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0)); 180 EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0)); 181 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0)); 182 #if defined(NDEBUG) 183 EXPECT_EQ(1, SafeSPrintf(buf, "%", 0)); 184 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 185 #elif defined(ALLOW_DEATH_TEST) 186 EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch"); 187 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 188 #endif 189 } 190 191 TEST(SafeSPrintfTest, MissingArg) { 192 #if defined(NDEBUG) 193 char buf[20]; 194 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A')); 195 EXPECT_EQ("A%c", std::string(buf)); 196 #elif defined(ALLOW_DEATH_TEST) 197 char buf[20]; 198 EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args"); 199 #endif 200 } 201 202 TEST(SafeSPrintfTest, ASANFriendlyBufferTest) { 203 // Print into a buffer that is sized exactly to size. ASAN can verify that 204 // nobody attempts to write past the end of the buffer. 205 // There is a more complicated test in PrintLongString() that covers a lot 206 // more edge case, but it is also harder to debug in case of a failure. 207 const char kTestString[] = "This is a test"; 208 std::unique_ptr<char[]> buf(new char[sizeof(kTestString)]); 209 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 210 SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString)); 211 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 212 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 213 SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString)); 214 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 215 } 216 217 TEST(SafeSPrintfTest, NArgs) { 218 // Pre-C++11 compilers have a different code path, that can only print 219 // up to ten distinct arguments. 220 // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't 221 // have typos in the copy-n-pasted code that is needed to deal with various 222 // numbers of arguments. 223 char buf[12]; 224 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1)); 225 EXPECT_EQ("\1", std::string(buf)); 226 EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2)); 227 EXPECT_EQ("\1\2", std::string(buf)); 228 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3)); 229 EXPECT_EQ("\1\2\3", std::string(buf)); 230 EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4)); 231 EXPECT_EQ("\1\2\3\4", std::string(buf)); 232 EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 233 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 234 EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 235 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 236 EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 237 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 238 EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8)); 239 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 240 EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c", 241 1, 2, 3, 4, 5, 6, 7, 8, 9)); 242 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 243 EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c", 244 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 245 246 // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf(). 247 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 248 EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1)); 249 EXPECT_EQ("\1", std::string(buf)); 250 EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2)); 251 EXPECT_EQ("\1\2", std::string(buf)); 252 EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3)); 253 EXPECT_EQ("\1\2\3", std::string(buf)); 254 EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4)); 255 EXPECT_EQ("\1\2\3\4", std::string(buf)); 256 EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 257 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 258 EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 259 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 260 EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 261 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 262 EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c", 263 1, 2, 3, 4, 5, 6, 7, 8)); 264 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 265 EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c", 266 1, 2, 3, 4, 5, 6, 7, 8, 9)); 267 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 268 EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c", 269 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 270 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 271 272 EXPECT_EQ(11, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c%c", 273 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)); 274 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf)); 275 EXPECT_EQ(11, SafeSNPrintf(buf, 12, "%c%c%c%c%c%c%c%c%c%c%c", 276 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)); 277 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf)); 278 } 279 280 TEST(SafeSPrintfTest, DataTypes) { 281 char buf[40]; 282 283 // Bytes 284 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1)); 285 EXPECT_EQ("1", std::string(buf)); 286 EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1)); 287 EXPECT_EQ("255", std::string(buf)); 288 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1)); 289 EXPECT_EQ("1", std::string(buf)); 290 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1)); 291 EXPECT_EQ("-1", std::string(buf)); 292 EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128)); 293 EXPECT_EQ("-128", std::string(buf)); 294 295 // Half-words 296 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1)); 297 EXPECT_EQ("1", std::string(buf)); 298 EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1)); 299 EXPECT_EQ("65535", std::string(buf)); 300 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1)); 301 EXPECT_EQ("1", std::string(buf)); 302 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1)); 303 EXPECT_EQ("-1", std::string(buf)); 304 EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768)); 305 EXPECT_EQ("-32768", std::string(buf)); 306 307 // Words 308 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1)); 309 EXPECT_EQ("1", std::string(buf)); 310 EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1)); 311 EXPECT_EQ("4294967295", std::string(buf)); 312 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1)); 313 EXPECT_EQ("1", std::string(buf)); 314 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1)); 315 EXPECT_EQ("-1", std::string(buf)); 316 // Work-around for an limitation of C90 317 EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1)); 318 EXPECT_EQ("-2147483648", std::string(buf)); 319 320 // Quads 321 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1)); 322 EXPECT_EQ("1", std::string(buf)); 323 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1)); 324 EXPECT_EQ("18446744073709551615", std::string(buf)); 325 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1)); 326 EXPECT_EQ("1", std::string(buf)); 327 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1)); 328 EXPECT_EQ("-1", std::string(buf)); 329 // Work-around for an limitation of C90 330 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1)); 331 EXPECT_EQ("-9223372036854775808", std::string(buf)); 332 333 // Strings (both const and mutable). 334 EXPECT_EQ(4, SafeSPrintf(buf, "test")); 335 EXPECT_EQ("test", std::string(buf)); 336 EXPECT_EQ(4, SafeSPrintf(buf, buf)); 337 EXPECT_EQ("test", std::string(buf)); 338 339 // Pointer 340 char addr[20]; 341 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 342 SafeSPrintf(buf, "%p", buf); 343 EXPECT_EQ(std::string(addr), std::string(buf)); 344 SafeSPrintf(buf, "%p", (const char *)buf); 345 EXPECT_EQ(std::string(addr), std::string(buf)); 346 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf); 347 SafeSPrintf(buf, "%p", sprintf); 348 EXPECT_EQ(std::string(addr), std::string(buf)); 349 350 // Padding for pointers is a little more complicated because of the "0x" 351 // prefix. Padding with '0' zeros is relatively straight-forward, but 352 // padding with ' ' spaces requires more effort. 353 sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf); 354 SafeSPrintf(buf, "%019p", buf); 355 EXPECT_EQ(std::string(addr), std::string(buf)); 356 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 357 memset(addr, ' ', 358 (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1, 359 addr, strlen(addr)+1) - addr); 360 SafeSPrintf(buf, "%19p", buf); 361 EXPECT_EQ(std::string(addr), std::string(buf)); 362 } 363 364 namespace { 365 void PrintLongString(char* buf, size_t sz) { 366 // Output a reasonably complex expression into a limited-size buffer. 367 // At least one byte is available for writing the NUL character. 368 CHECK_GT(sz, static_cast<size_t>(0)); 369 370 // Allocate slightly more space, so that we can verify that SafeSPrintf() 371 // never writes past the end of the buffer. 372 std::unique_ptr<char[]> tmp(new char[sz + 2]); 373 memset(tmp.get(), 'X', sz+2); 374 375 // Use SafeSPrintf() to output a complex list of arguments: 376 // - test padding and truncating %c single characters. 377 // - test truncating %s simple strings. 378 // - test mismatching arguments and truncating (for %d != %s). 379 // - test zero-padding and truncating %x hexadecimal numbers. 380 // - test outputting and truncating %d MININT. 381 // - test outputting and truncating %p arbitrary pointer values. 382 // - test outputting, padding and truncating NULL-pointer %s strings. 383 char* out = tmp.get(); 384 size_t out_sz = sz; 385 size_t len; 386 for (std::unique_ptr<char[]> perfect_buf;;) { 387 size_t needed = SafeSNPrintf(out, out_sz, 388 #if defined(NDEBUG) 389 "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "", 390 #else 391 "A%2cong %s: %%d %010X %d %p%7s", 'l', "string", 392 #endif 393 0xDEADBEEF, std::numeric_limits<intptr_t>::min(), 394 PrintLongString, static_cast<char*>(NULL)) + 1; 395 396 // Various sanity checks: 397 // The numbered of characters needed to print the full string should always 398 // be bigger or equal to the bytes that have actually been output. 399 len = strlen(tmp.get()); 400 CHECK_GE(needed, len+1); 401 402 // The number of characters output should always fit into the buffer that 403 // was passed into SafeSPrintf(). 404 CHECK_LT(len, out_sz); 405 406 // The output is always terminated with a NUL byte (actually, this test is 407 // always going to pass, as strlen() already verified this) 408 EXPECT_FALSE(tmp[len]); 409 410 // ASAN can check that we are not overwriting buffers, iff we make sure the 411 // buffer is exactly the size that we are expecting to be written. After 412 // running SafeSNPrintf() the first time, it is possible to compute the 413 // correct buffer size for this test. So, allocate a second buffer and run 414 // the exact same SafeSNPrintf() command again. 415 if (!perfect_buf.get()) { 416 out_sz = std::min(needed, sz); 417 out = new char[out_sz]; 418 perfect_buf.reset(out); 419 } else { 420 break; 421 } 422 } 423 424 // All trailing bytes are unchanged. 425 for (size_t i = len+1; i < sz+2; ++i) 426 EXPECT_EQ('X', tmp[i]); 427 428 // The text that was generated by SafeSPrintf() should always match the 429 // equivalent text generated by sprintf(). Please note that the format 430 // string for sprintf() is not complicated, as it does not have the 431 // benefit of getting type information from the C++ compiler. 432 // 433 // N.B.: It would be so much cleaner to use snprintf(). But unfortunately, 434 // Visual Studio doesn't support this function, and the work-arounds 435 // are all really awkward. 436 char ref[256]; 437 CHECK_LE(sz, sizeof(ref)); 438 sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>", 439 static_cast<long long>(std::numeric_limits<intptr_t>::min()), 440 static_cast<unsigned long long>( 441 reinterpret_cast<uintptr_t>(PrintLongString))); 442 ref[sz-1] = '\000'; 443 444 #if defined(NDEBUG) 445 const size_t kSSizeMax = std::numeric_limits<ssize_t>::max(); 446 #else 447 const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest(); 448 #endif 449 450 // Compare the output from SafeSPrintf() to the one from sprintf(). 451 EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get())); 452 453 // We allocated a slightly larger buffer, so that we could perform some 454 // extra sanity checks. Now that the tests have all passed, we copy the 455 // data to the output buffer that the caller provided. 456 memcpy(buf, tmp.get(), len+1); 457 } 458 459 #if !defined(NDEBUG) 460 class ScopedSafeSPrintfSSizeMaxSetter { 461 public: 462 ScopedSafeSPrintfSSizeMaxSetter(size_t sz) { 463 old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest(); 464 internal::SetSafeSPrintfSSizeMaxForTest(sz); 465 } 466 467 ~ScopedSafeSPrintfSSizeMaxSetter() { 468 internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_); 469 } 470 471 private: 472 size_t old_ssize_max_; 473 474 DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter); 475 }; 476 #endif 477 478 } // anonymous namespace 479 480 TEST(SafeSPrintfTest, Truncation) { 481 // We use PrintLongString() to print a complex long string and then 482 // truncate to all possible lengths. This ends up exercising a lot of 483 // different code paths in SafeSPrintf() and IToASCII(), as truncation can 484 // happen in a lot of different states. 485 char ref[256]; 486 PrintLongString(ref, sizeof(ref)); 487 for (size_t i = strlen(ref)+1; i; --i) { 488 char buf[sizeof(ref)]; 489 PrintLongString(buf, i); 490 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 491 } 492 493 // When compiling in debug mode, we have the ability to fake a small 494 // upper limit for the maximum value that can be stored in an ssize_t. 495 // SafeSPrintf() uses this upper limit to determine how many bytes it will 496 // write to the buffer, even if the caller claimed a bigger buffer size. 497 // Repeat the truncation test and verify that this other code path in 498 // SafeSPrintf() works correctly, too. 499 #if !defined(NDEBUG) 500 for (size_t i = strlen(ref)+1; i > 1; --i) { 501 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i); 502 char buf[sizeof(ref)]; 503 PrintLongString(buf, sizeof(buf)); 504 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 505 } 506 507 // kSSizeMax is also used to constrain the maximum amount of padding, before 508 // SafeSPrintf() detects an error in the format string. 509 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100); 510 char buf[256]; 511 EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' ')); 512 EXPECT_EQ(std::string(99, ' '), std::string(buf)); 513 *buf = '\000'; 514 #if defined(ALLOW_DEATH_TEST) 515 EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding"); 516 #endif 517 EXPECT_EQ(0, *buf); 518 #endif 519 } 520 521 TEST(SafeSPrintfTest, Padding) { 522 char buf[40], fmt[40]; 523 524 // Chars %c 525 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A')); 526 EXPECT_EQ("A", std::string(buf)); 527 EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A')); 528 EXPECT_EQ(" A", std::string(buf)); 529 EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A')); 530 EXPECT_EQ(" A", std::string(buf)); 531 EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A')); 532 EXPECT_EQ("%-2c", std::string(buf)); 533 SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1); 534 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A')); 535 SafeSPrintf(fmt, "%%%dc", 536 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 537 #if defined(NDEBUG) 538 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A')); 539 EXPECT_EQ("%c", std::string(buf)); 540 #elif defined(ALLOW_DEATH_TEST) 541 EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding"); 542 #endif 543 544 // Octal %o 545 EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1)); 546 EXPECT_EQ("1", std::string(buf)); 547 EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1)); 548 EXPECT_EQ(" 1", std::string(buf)); 549 EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1)); 550 EXPECT_EQ("01", std::string(buf)); 551 EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1)); 552 EXPECT_EQ(" 37777777777", std::string(buf)); 553 EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1)); 554 EXPECT_EQ("037777777777", std::string(buf)); 555 EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL)); 556 EXPECT_EQ(" 1777777777777777777777", std::string(buf)); 557 EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL)); 558 EXPECT_EQ("01777777777777777777777", std::string(buf)); 559 EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111)); 560 EXPECT_EQ("111", std::string(buf)); 561 EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1)); 562 EXPECT_EQ("%-2o", std::string(buf)); 563 SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1); 564 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 565 SafeSNPrintf(buf, 4, fmt, 1)); 566 EXPECT_EQ(" ", std::string(buf)); 567 SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1); 568 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 569 SafeSNPrintf(buf, 4, fmt, 1)); 570 EXPECT_EQ("000", std::string(buf)); 571 SafeSPrintf(fmt, "%%%do", 572 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 573 #if defined(NDEBUG) 574 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 575 EXPECT_EQ("%o", std::string(buf)); 576 #elif defined(ALLOW_DEATH_TEST) 577 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 578 #endif 579 580 // Decimals %d 581 EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1)); 582 EXPECT_EQ("1", std::string(buf)); 583 EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1)); 584 EXPECT_EQ(" 1", std::string(buf)); 585 EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1)); 586 EXPECT_EQ("01", std::string(buf)); 587 EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1)); 588 EXPECT_EQ(" -1", std::string(buf)); 589 EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1)); 590 EXPECT_EQ("-01", std::string(buf)); 591 EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111)); 592 EXPECT_EQ("111", std::string(buf)); 593 EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111)); 594 EXPECT_EQ("-111", std::string(buf)); 595 EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1)); 596 EXPECT_EQ("%-2d", std::string(buf)); 597 SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1); 598 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 599 SafeSNPrintf(buf, 4, fmt, 1)); 600 EXPECT_EQ(" ", std::string(buf)); 601 SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1); 602 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 603 SafeSNPrintf(buf, 4, fmt, 1)); 604 EXPECT_EQ("000", std::string(buf)); 605 SafeSPrintf(fmt, "%%%dd", 606 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 607 #if defined(NDEBUG) 608 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 609 EXPECT_EQ("%d", std::string(buf)); 610 #elif defined(ALLOW_DEATH_TEST) 611 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 612 #endif 613 614 // Hex %X 615 EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1)); 616 EXPECT_EQ("1", std::string(buf)); 617 EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1)); 618 EXPECT_EQ(" 1", std::string(buf)); 619 EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1)); 620 EXPECT_EQ("01", std::string(buf)); 621 EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1)); 622 EXPECT_EQ(" FFFFFFFF", std::string(buf)); 623 EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1)); 624 EXPECT_EQ("0FFFFFFFF", std::string(buf)); 625 EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL)); 626 EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf)); 627 EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL)); 628 EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf)); 629 EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111)); 630 EXPECT_EQ("111", std::string(buf)); 631 EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1)); 632 EXPECT_EQ("%-2X", std::string(buf)); 633 SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1); 634 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 635 SafeSNPrintf(buf, 4, fmt, 1)); 636 EXPECT_EQ(" ", std::string(buf)); 637 SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1); 638 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 639 SafeSNPrintf(buf, 4, fmt, 1)); 640 EXPECT_EQ("000", std::string(buf)); 641 SafeSPrintf(fmt, "%%%dX", 642 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 643 #if defined(NDEBUG) 644 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 645 EXPECT_EQ("%X", std::string(buf)); 646 #elif defined(ALLOW_DEATH_TEST) 647 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 648 #endif 649 650 // Pointer %p 651 EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1)); 652 EXPECT_EQ("0x1", std::string(buf)); 653 EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1)); 654 EXPECT_EQ(" 0x1", std::string(buf)); 655 EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1)); 656 EXPECT_EQ("0x01", std::string(buf)); 657 EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111)); 658 EXPECT_EQ("0x111", std::string(buf)); 659 EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1)); 660 EXPECT_EQ("%-2p", std::string(buf)); 661 SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1); 662 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 663 SafeSNPrintf(buf, 4, fmt, (void*)1)); 664 EXPECT_EQ(" ", std::string(buf)); 665 SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1); 666 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 667 SafeSNPrintf(buf, 4, fmt, (void*)1)); 668 EXPECT_EQ("0x0", std::string(buf)); 669 SafeSPrintf(fmt, "%%%dp", 670 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 671 #if defined(NDEBUG) 672 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 673 EXPECT_EQ("%p", std::string(buf)); 674 #elif defined(ALLOW_DEATH_TEST) 675 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 676 #endif 677 678 // String 679 EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A")); 680 EXPECT_EQ("A", std::string(buf)); 681 EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A")); 682 EXPECT_EQ(" A", std::string(buf)); 683 EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A")); 684 EXPECT_EQ(" A", std::string(buf)); 685 EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA")); 686 EXPECT_EQ("AAA", std::string(buf)); 687 EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A")); 688 EXPECT_EQ("%-2s", std::string(buf)); 689 SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1); 690 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 691 SafeSNPrintf(buf, 4, fmt, "A")); 692 EXPECT_EQ(" ", std::string(buf)); 693 SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1); 694 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 695 SafeSNPrintf(buf, 4, fmt, "A")); 696 EXPECT_EQ(" ", std::string(buf)); 697 SafeSPrintf(fmt, "%%%ds", 698 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 699 #if defined(NDEBUG) 700 EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A")); 701 EXPECT_EQ("%s", std::string(buf)); 702 #elif defined(ALLOW_DEATH_TEST) 703 EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding"); 704 #endif 705 } 706 707 TEST(SafeSPrintfTest, EmbeddedNul) { 708 char buf[] = { 'X', 'X', 'X', 'X' }; 709 EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0)); 710 EXPECT_EQ(' ', buf[0]); 711 EXPECT_EQ(' ', buf[1]); 712 EXPECT_EQ(0, buf[2]); 713 EXPECT_EQ('X', buf[3]); 714 715 // Check handling of a NUL format character. N.B. this takes two different 716 // code paths depending on whether we are actually passing arguments. If 717 // we don't have any arguments, we are running in the fast-path code, that 718 // looks (almost) like a strncpy(). 719 #if defined(NDEBUG) 720 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 721 EXPECT_EQ("%%", std::string(buf)); 722 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 723 EXPECT_EQ("%%", std::string(buf)); 724 #elif defined(ALLOW_DEATH_TEST) 725 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 726 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 727 #endif 728 } 729 730 TEST(SafeSPrintfTest, EmitNULL) { 731 char buf[40]; 732 #if defined(__GNUC__) 733 #pragma GCC diagnostic push 734 #pragma GCC diagnostic ignored "-Wconversion-null" 735 #endif 736 EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL)); 737 EXPECT_EQ("0", std::string(buf)); 738 EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL)); 739 EXPECT_EQ("0x0", std::string(buf)); 740 EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL)); 741 EXPECT_EQ("<NULL>", std::string(buf)); 742 #if defined(__GCC__) 743 #pragma GCC diagnostic pop 744 #endif 745 } 746 747 TEST(SafeSPrintfTest, PointerSize) { 748 // The internal data representation is a 64bit value, independent of the 749 // native word size. We want to perform sign-extension for signed integers, 750 // but we want to avoid doing so for pointer types. This could be a 751 // problem on systems, where pointers are only 32bit. This tests verifies 752 // that there is no such problem. 753 char *str = reinterpret_cast<char *>(0x80000000u); 754 void *ptr = str; 755 char buf[40]; 756 EXPECT_EQ(10, SafeSPrintf(buf, "%p", str)); 757 EXPECT_EQ("0x80000000", std::string(buf)); 758 EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr)); 759 EXPECT_EQ("0x80000000", std::string(buf)); 760 } 761 762 } // namespace strings 763 } // namespace base 764
