1
0
mirror of https://sourceware.org/git/glibc.git synced 2025-10-26 00:57:39 +03:00
Files
glibc/stdio-common/printf-parsemb.c
David S. Miller 135ffda8b8 Tighten up vfprintf width, precision, and total length overflow handling.
With help from Paul Eggert, Carlos O'Donell, and Roland McGrath.
	* stdio-common/printf-parse.h (read_int): Change return type to
	'int', return -1 on INT_MAX overflow.
	* stdio-common/vfprintf.c (vfprintf): Validate width and precision
	against overflow of INT_MAX.  Set errno to EOVERFLOW when 'done'
	overflows INT_MAX.  Check for overflow of in-format-string precision
	values properly.  Use EOVERFLOW rather than ERANGE throughout.  Use
	SIZE_MAX not INT_MAX for integer overflow test.
	* stdio-common/printf-parsemb.c: If read_int signals an overflow,
	skip the construct in the format string but do not record anything.
	* stdio-common/bug22.c: Adjust to test both width/prevision
	INT_MAX overflow as well as total length INT_MAX overflow.  Check
	explicitly for proper errno values.
2012-04-02 14:31:19 -07:00

408 lines
10 KiB
C

/* Helper functions for parsing printf format strings.
Copyright (C) 1995-2000,2002-2004,2006,2009 Free Software Foundation, Inc.
This file is part of th GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <ctype.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <wchar.h>
#include <wctype.h>
#ifndef COMPILE_WPRINTF
# define CHAR_T char
# define UCHAR_T unsigned char
# define INT_T int
# define L_(Str) Str
# define ISDIGIT(Ch) isdigit (Ch)
# define HANDLE_REGISTERED_MODIFIER __handle_registered_modifier_mb
#else
# define CHAR_T wchar_t
# define UCHAR_T unsigned int
# define INT_T wint_t
# define L_(Str) L##Str
# define ISDIGIT(Ch) iswdigit (Ch)
# define HANDLE_REGISTERED_MODIFIER __handle_registered_modifier_wc
#endif
#include "printf-parse.h"
#define NDEBUG 1
#include <assert.h>
/* FORMAT must point to a '%' at the beginning of a spec. Fills in *SPEC
with the parsed details. POSN is the number of arguments already
consumed. At most MAXTYPES - POSN types are filled in TYPES. Return
the number of args consumed by this spec; *MAX_REF_ARG is updated so it
remains the highest argument index used. */
size_t
attribute_hidden
#ifdef COMPILE_WPRINTF
__parse_one_specwc (const UCHAR_T *format, size_t posn,
struct printf_spec *spec, size_t *max_ref_arg)
#else
__parse_one_specmb (const UCHAR_T *format, size_t posn,
struct printf_spec *spec, size_t *max_ref_arg)
#endif
{
unsigned int n;
size_t nargs = 0;
/* Skip the '%'. */
++format;
/* Clear information structure. */
spec->data_arg = -1;
spec->info.alt = 0;
spec->info.space = 0;
spec->info.left = 0;
spec->info.showsign = 0;
spec->info.group = 0;
spec->info.i18n = 0;
spec->info.extra = 0;
spec->info.pad = ' ';
spec->info.wide = sizeof (UCHAR_T) > 1;
/* Test for positional argument. */
if (ISDIGIT (*format))
{
const UCHAR_T *begin = format;
n = read_int (&format);
if (n != 0 && *format == L_('$'))
/* Is positional parameter. */
{
++format; /* Skip the '$'. */
if (n != -1)
{
spec->data_arg = n - 1;
*max_ref_arg = MAX (*max_ref_arg, n);
}
}
else
/* Oops; that was actually the width and/or 0 padding flag.
Step back and read it again. */
format = begin;
}
/* Check for spec modifiers. */
do
{
switch (*format)
{
case L_(' '):
/* Output a space in place of a sign, when there is no sign. */
spec->info.space = 1;
continue;
case L_('+'):
/* Always output + or - for numbers. */
spec->info.showsign = 1;
continue;
case L_('-'):
/* Left-justify things. */
spec->info.left = 1;
continue;
case L_('#'):
/* Use the "alternate form":
Hex has 0x or 0X, FP always has a decimal point. */
spec->info.alt = 1;
continue;
case L_('0'):
/* Pad with 0s. */
spec->info.pad = '0';
continue;
case L_('\''):
/* Show grouping in numbers if the locale information
indicates any. */
spec->info.group = 1;
continue;
case L_('I'):
/* Use the internationalized form of the output. Currently
means to use the `outdigits' of the current locale. */
spec->info.i18n = 1;
continue;
default:
break;
}
break;
}
while (*++format);
if (spec->info.left)
spec->info.pad = ' ';
/* Get the field width. */
spec->width_arg = -1;
spec->info.width = 0;
if (*format == L_('*'))
{
/* The field width is given in an argument.
A negative field width indicates left justification. */
const UCHAR_T *begin = ++format;
if (ISDIGIT (*format))
{
/* The width argument might be found in a positional parameter. */
n = read_int (&format);
if (n != 0 && *format == L_('$'))
{
if (n != -1)
{
spec->width_arg = n - 1;
*max_ref_arg = MAX (*max_ref_arg, n);
}
++format; /* Skip '$'. */
}
}
if (spec->width_arg < 0)
{
/* Not in a positional parameter. Consume one argument. */
spec->width_arg = posn++;
++nargs;
format = begin; /* Step back and reread. */
}
}
else if (ISDIGIT (*format))
{
int n = read_int (&format);
/* Constant width specification. */
if (n != -1)
spec->info.width = n;
}
/* Get the precision. */
spec->prec_arg = -1;
/* -1 means none given; 0 means explicit 0. */
spec->info.prec = -1;
if (*format == L_('.'))
{
++format;
if (*format == L_('*'))
{
/* The precision is given in an argument. */
const UCHAR_T *begin = ++format;
if (ISDIGIT (*format))
{
n = read_int (&format);
if (n != 0 && *format == L_('$'))
{
if (n != -1)
{
spec->prec_arg = n - 1;
*max_ref_arg = MAX (*max_ref_arg, n);
}
++format;
}
}
if (spec->prec_arg < 0)
{
/* Not in a positional parameter. */
spec->prec_arg = posn++;
++nargs;
format = begin;
}
}
else if (ISDIGIT (*format))
{
int n = read_int (&format);
if (n != -1)
spec->info.prec = n;
}
else
/* "%.?" is treated like "%.0?". */
spec->info.prec = 0;
}
/* Check for type modifiers. */
spec->info.is_long_double = 0;
spec->info.is_short = 0;
spec->info.is_long = 0;
spec->info.is_char = 0;
spec->info.user = 0;
if (__builtin_expect (__printf_modifier_table == NULL, 1)
|| __printf_modifier_table[*format] == NULL
|| HANDLE_REGISTERED_MODIFIER (&format, &spec->info) != 0)
switch (*format++)
{
case L_('h'):
/* ints are short ints or chars. */
if (*format != L_('h'))
spec->info.is_short = 1;
else
{
++format;
spec->info.is_char = 1;
}
break;
case L_('l'):
/* ints are long ints. */
spec->info.is_long = 1;
if (*format != L_('l'))
break;
++format;
/* FALLTHROUGH */
case L_('L'):
/* doubles are long doubles, and ints are long long ints. */
case L_('q'):
/* 4.4 uses this for long long. */
spec->info.is_long_double = 1;
break;
case L_('z'):
case L_('Z'):
/* ints are size_ts. */
assert (sizeof (size_t) <= sizeof (unsigned long long int));
#if LONG_MAX != LONG_LONG_MAX
spec->info.is_long_double = (sizeof (size_t)
> sizeof (unsigned long int));
#endif
spec->info.is_long = sizeof (size_t) > sizeof (unsigned int);
break;
case L_('t'):
assert (sizeof (ptrdiff_t) <= sizeof (long long int));
#if LONG_MAX != LONG_LONG_MAX
spec->info.is_long_double = (sizeof (ptrdiff_t) > sizeof (long int));
#endif
spec->info.is_long = sizeof (ptrdiff_t) > sizeof (int);
break;
case L_('j'):
assert (sizeof (uintmax_t) <= sizeof (unsigned long long int));
#if LONG_MAX != LONG_LONG_MAX
spec->info.is_long_double = (sizeof (uintmax_t)
> sizeof (unsigned long int));
#endif
spec->info.is_long = sizeof (uintmax_t) > sizeof (unsigned int);
break;
default:
/* Not a recognized modifier. Backup. */
--format;
break;
}
/* Get the format specification. */
spec->info.spec = (wchar_t) *format++;
spec->size = -1;
if (__builtin_expect (__printf_function_table == NULL, 1)
|| spec->info.spec > UCHAR_MAX
|| __printf_arginfo_table[spec->info.spec] == NULL
/* We don't try to get the types for all arguments if the format
uses more than one. The normal case is covered though. If
the call returns -1 we continue with the normal specifiers. */
|| (int) (spec->ndata_args = (*__printf_arginfo_table[spec->info.spec])
(&spec->info, 1, &spec->data_arg_type,
&spec->size)) < 0)
{
/* Find the data argument types of a built-in spec. */
spec->ndata_args = 1;
switch (spec->info.spec)
{
case L'i':
case L'd':
case L'u':
case L'o':
case L'X':
case L'x':
#if LONG_MAX != LONG_LONG_MAX
if (spec->info.is_long_double)
spec->data_arg_type = PA_INT|PA_FLAG_LONG_LONG;
else
#endif
if (spec->info.is_long)
spec->data_arg_type = PA_INT|PA_FLAG_LONG;
else if (spec->info.is_short)
spec->data_arg_type = PA_INT|PA_FLAG_SHORT;
else if (spec->info.is_char)
spec->data_arg_type = PA_CHAR;
else
spec->data_arg_type = PA_INT;
break;
case L'e':
case L'E':
case L'f':
case L'F':
case L'g':
case L'G':
case L'a':
case L'A':
if (spec->info.is_long_double)
spec->data_arg_type = PA_DOUBLE|PA_FLAG_LONG_DOUBLE;
else
spec->data_arg_type = PA_DOUBLE;
break;
case L'c':
spec->data_arg_type = PA_CHAR;
break;
case L'C':
spec->data_arg_type = PA_WCHAR;
break;
case L's':
spec->data_arg_type = PA_STRING;
break;
case L'S':
spec->data_arg_type = PA_WSTRING;
break;
case L'p':
spec->data_arg_type = PA_POINTER;
break;
case L'n':
spec->data_arg_type = PA_INT|PA_FLAG_PTR;
break;
case L'm':
default:
/* An unknown spec will consume no args. */
spec->ndata_args = 0;
break;
}
}
if (spec->data_arg == -1 && spec->ndata_args > 0)
{
/* There are args consumed, but no positional spec. Use the
next sequential arg position. */
spec->data_arg = posn;
nargs += spec->ndata_args;
}
if (spec->info.spec == L'\0')
/* Format ended before this spec was complete. */
spec->end_of_fmt = spec->next_fmt = format - 1;
else
{
/* Find the next format spec. */
spec->end_of_fmt = format;
#ifdef COMPILE_WPRINTF
spec->next_fmt = __find_specwc (format);
#else
spec->next_fmt = __find_specmb (format);
#endif
}
return nargs;
}