diff options
author | Jörg Frings-Fürst <debian@jff.email> | 2022-01-08 11:53:52 +0100 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff.email> | 2022-01-08 11:53:52 +0100 |
commit | fa838e76139763f902c7d27cb9e1d393ed6a15e4 (patch) | |
tree | 7d0ae09775ea950056193eaa2ca93844299d46f1 /lib/vasnprintf.c | |
parent | c78359d9542c86b972aac373efcf7bc7a8a560e5 (diff) | |
parent | 2959e59fab3bab834368adefd90bd4b1b094366b (diff) |
Merge branch 'feature/upstream' into develop
Diffstat (limited to 'lib/vasnprintf.c')
-rw-r--r-- | lib/vasnprintf.c | 504 |
1 files changed, 374 insertions, 130 deletions
diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c index 42c48729..48574524 100644 --- a/lib/vasnprintf.c +++ b/lib/vasnprintf.c @@ -1,27 +1,18 @@ /* vsprintf with automatic memory allocation. - Copyright (C) 1999, 2002-2018 Free Software Foundation, Inc. + Copyright (C) 1999, 2002-2022 Free Software Foundation, Inc. - This program is free software: you can redistribute it and/or - modify it under the terms of either: + This file is free software: you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - This program is distributed in the hope that it will be useful, + This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + GNU Lesser General Public License for more details. - You should have received a copy of the GNU General Public License along - with this program; if not, see <https://www.gnu.org/licenses/>. */ + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. */ /* This file can be parametrized with the following macros: VASNPRINTF The name of the function being defined. @@ -50,7 +41,14 @@ DCHAR_CONV_FROM_ENCODING A function to convert from char[] to DCHAR[]. DCHAR_IS_UINT8_T Set to 1 if DCHAR_T is uint8_t. DCHAR_IS_UINT16_T Set to 1 if DCHAR_T is uint16_t. - DCHAR_IS_UINT32_T Set to 1 if DCHAR_T is uint32_t. */ + DCHAR_IS_UINT32_T Set to 1 if DCHAR_T is uint32_t. + ENABLE_UNISTDIO Set to 1 to enable the unistdio extensions. + ENABLE_WCHAR_FALLBACK Set to 1 to avoid EILSEQ during conversion of wide + characters (wchar_t) and wide character strings + (wchar_t[]) to multibyte sequences. The fallback is the + hexadecimal escape syntax (\unnnn or \Unnnnnnnn) or, + if wchar_t is not Unicode encoded, \wnnnn or \Wnnnnnnnn. + */ /* Tell glibc's <stdio.h> to provide a prototype for snprintf(). This must come before <config.h> because <config.h> may include @@ -62,10 +60,16 @@ #ifndef VASNPRINTF # include <config.h> #endif -#ifndef IN_LIBINTL -# include <alloca.h> + +/* As of GCC 11.2.1, gcc -Wanalyzer-too-complex reports that main's + use of CHECK macros expands to code that is too complicated for gcc + -fanalyzer. Suppress the resulting bogus warnings. */ +#if 10 <= __GNUC__ +# pragma GCC diagnostic ignored "-Wanalyzer-null-argument" #endif +#include <alloca.h> + /* Specification. */ #ifndef VASNPRINTF # if WIDE_CHAR_VERSION @@ -96,6 +100,7 @@ /* Checked size_t computations. */ #include "xsize.h" +#include "attribute.h" #include "verify.h" #if (NEED_PRINTF_DOUBLE || NEED_PRINTF_LONG_DOUBLE) && !defined IN_LIBINTL @@ -127,14 +132,6 @@ # include "fpucw.h" #endif -#ifndef FALLTHROUGH -# if __GNUC__ < 7 -# define FALLTHROUGH ((void) 0) -# else -# define FALLTHROUGH __attribute__ ((__fallthrough__)) -# endif -#endif - /* Default parameters. */ #ifndef VASNPRINTF # if WIDE_CHAR_VERSION @@ -286,6 +283,74 @@ local_wcsnlen (const wchar_t *s, size_t maxlen) # endif #endif +#if (((!USE_SNPRINTF || !HAVE_SNPRINTF_RETVAL_C99 || USE_MSVC__SNPRINTF || (NEED_PRINTF_DIRECTIVE_LS && !defined IN_LIBINTL) || ENABLE_WCHAR_FALLBACK) && HAVE_WCHAR_T) || (ENABLE_WCHAR_FALLBACK && HAVE_WINT_T)) && !WIDE_CHAR_VERSION +# if ENABLE_WCHAR_FALLBACK +static size_t +wctomb_fallback (char *s, wchar_t wc) +{ + static char hex[16] = "0123456789ABCDEF"; + + s[0] = '\\'; + if (sizeof (wchar_t) > 2 && wc > 0xffff) + { +# if __STDC_ISO_10646__ || (__GLIBC__ >= 2) || (defined _WIN32 || defined __CYGWIN__) + s[1] = 'U'; +# else + s[1] = 'W'; +# endif + s[2] = hex[(wc & 0xf0000000U) >> 28]; + s[3] = hex[(wc & 0xf000000U) >> 24]; + s[4] = hex[(wc & 0xf00000U) >> 20]; + s[5] = hex[(wc & 0xf0000U) >> 16]; + s[6] = hex[(wc & 0xf000U) >> 12]; + s[7] = hex[(wc & 0xf00U) >> 8]; + s[8] = hex[(wc & 0xf0U) >> 4]; + s[9] = hex[wc & 0xfU]; + return 10; + } + else + { +# if __STDC_ISO_10646__ || (__GLIBC__ >= 2) || (defined _WIN32 || defined __CYGWIN__) + s[1] = 'u'; +# else + s[1] = 'w'; +# endif + s[2] = hex[(wc & 0xf000U) >> 12]; + s[3] = hex[(wc & 0xf00U) >> 8]; + s[4] = hex[(wc & 0xf0U) >> 4]; + s[5] = hex[wc & 0xfU]; + return 6; + } +} +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t +static size_t +local_wcrtomb (char *s, wchar_t wc, mbstate_t *ps) +{ + size_t count = wcrtomb (s, wc, ps); + if (count == (size_t)(-1)) + count = wctomb_fallback (s, wc); + return count; +} +# else +static int +local_wctomb (char *s, wchar_t wc) +{ + int count = wctomb (s, wc); + if (count < 0) + count = wctomb_fallback (s, wc); + return count; +} +# define local_wcrtomb(S, WC, PS) local_wctomb ((S), (WC)) +# endif +# else +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t +# define local_wcrtomb(S, WC, PS) wcrtomb ((S), (WC), (PS)) +# else +# define local_wcrtomb(S, WC, PS) wctomb ((S), (WC)) +# endif +# endif +#endif + #if (NEED_PRINTF_DIRECTIVE_A || NEED_PRINTF_LONG_DOUBLE || NEED_PRINTF_INFINITE_LONG_DOUBLE || NEED_PRINTF_DOUBLE || NEED_PRINTF_INFINITE_DOUBLE) && !defined IN_LIBINTL /* Determine the decimal-point character according to the current locale. */ # ifndef decimal_point_char_defined @@ -574,7 +639,8 @@ divide (mpn_t a, mpn_t b, mpn_t *q) mp_limb_t msd = b_ptr[b_len - 1]; /* = b[n-1], > 0 */ /* Determine s = GMP_LIMB_BITS - integer_length (msd). Code copied from gnulib's integer_length.c. */ -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) \ + || (__clang_major__ >= 4) s = __builtin_clz (msd); # else # if defined DBL_EXPBIT0_WORD && defined DBL_EXPBIT0_BIT @@ -869,7 +935,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes) size_t a_len = a.nlimbs; /* 0.03345 is slightly larger than log(2)/(9*log(10)). */ size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1); - char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes)); + /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the + digits of a, followed by 1 byte for the terminating NUL. */ + char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1)); if (c_ptr != NULL) { char *d_ptr = c_ptr; @@ -1560,16 +1628,13 @@ MAX_ROOM_NEEDED (const arguments *ap, size_t arg_index, FCHAR_T conversion, switch (conversion) { case 'd': case 'i': case 'u': -# if HAVE_LONG_LONG_INT if (type == TYPE_LONGLONGINT || type == TYPE_ULONGLONGINT) tmp_length = (unsigned int) (sizeof (unsigned long long) * CHAR_BIT * 0.30103 /* binary -> decimal */ ) + 1; /* turn floor into ceil */ - else -# endif - if (type == TYPE_LONGINT || type == TYPE_ULONGINT) + else if (type == TYPE_LONGINT || type == TYPE_ULONGINT) tmp_length = (unsigned int) (sizeof (unsigned long) * CHAR_BIT * 0.30103 /* binary -> decimal */ @@ -1590,16 +1655,13 @@ MAX_ROOM_NEEDED (const arguments *ap, size_t arg_index, FCHAR_T conversion, break; case 'o': -# if HAVE_LONG_LONG_INT if (type == TYPE_LONGLONGINT || type == TYPE_ULONGLONGINT) tmp_length = (unsigned int) (sizeof (unsigned long long) * CHAR_BIT * 0.333334 /* binary -> octal */ ) + 1; /* turn floor into ceil */ - else -# endif - if (type == TYPE_LONGINT || type == TYPE_ULONGINT) + else if (type == TYPE_LONGINT || type == TYPE_ULONGINT) tmp_length = (unsigned int) (sizeof (unsigned long) * CHAR_BIT * 0.333334 /* binary -> octal */ @@ -1618,16 +1680,13 @@ MAX_ROOM_NEEDED (const arguments *ap, size_t arg_index, FCHAR_T conversion, break; case 'x': case 'X': -# if HAVE_LONG_LONG_INT if (type == TYPE_LONGLONGINT || type == TYPE_ULONGLONGINT) tmp_length = (unsigned int) (sizeof (unsigned long long) * CHAR_BIT * 0.25 /* binary -> hexadecimal */ ) + 1; /* turn floor into ceil */ - else -# endif - if (type == TYPE_LONGINT || type == TYPE_ULONGINT) + else if (type == TYPE_LONGINT || type == TYPE_ULONGINT) tmp_length = (unsigned int) (sizeof (unsigned long) * CHAR_BIT * 0.25 /* binary -> hexadecimal */ @@ -1693,7 +1752,13 @@ MAX_ROOM_NEEDED (const arguments *ap, size_t arg_index, FCHAR_T conversion, case 'c': # if HAVE_WINT_T && !WIDE_CHAR_VERSION if (type == TYPE_WIDE_CHAR) - tmp_length = MB_CUR_MAX; + { + tmp_length = MB_CUR_MAX; +# if ENABLE_WCHAR_FALLBACK + if (tmp_length < (sizeof (wchar_t) > 2 ? 10 : 6)) + tmp_length = (sizeof (wchar_t) > 2 ? 10 : 6); +# endif + } else # endif tmp_length = 1; @@ -1800,6 +1865,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, /* errno is already set. */ return NULL; + /* Frees the memory allocated by this function. Preserves errno. */ #define CLEANUP() \ if (d.dir != d.direct_alloc_dir) \ free (d.dir); \ @@ -1864,7 +1930,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, /* Ensures that allocated >= needed. Aborts through a jump to out_of_memory if needed is SIZE_MAX or otherwise too big. */ -#define ENSURE_ALLOCATION(needed) \ +#define ENSURE_ALLOCATION_ELSE(needed, oom_statement) \ if ((needed) > allocated) \ { \ size_t memory_size; \ @@ -1875,17 +1941,19 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, allocated = (needed); \ memory_size = xtimes (allocated, sizeof (DCHAR_T)); \ if (size_overflow_p (memory_size)) \ - goto out_of_memory; \ + oom_statement \ if (result == resultbuf || result == NULL) \ memory = (DCHAR_T *) malloc (memory_size); \ else \ memory = (DCHAR_T *) realloc (result, memory_size); \ if (memory == NULL) \ - goto out_of_memory; \ + oom_statement \ if (result == resultbuf && length > 0) \ DCHAR_CPY (memory, result, length); \ result = memory; \ } +#define ENSURE_ALLOCATION(needed) \ + ENSURE_ALLOCATION_ELSE((needed), goto out_of_memory; ) for (cp = format, i = 0, dp = &d.dir[0]; ; cp = dp->dir_end, i++, dp++) { @@ -1946,11 +2014,9 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, case TYPE_COUNT_LONGINT_POINTER: *a.arg[dp->arg_index].a.a_count_longint_pointer = length; break; -#if HAVE_LONG_LONG_INT case TYPE_COUNT_LONGLONGINT_POINTER: *a.arg[dp->arg_index].a.a_count_longlongint_pointer = length; break; -#endif default: abort (); } @@ -2126,18 +2192,17 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, # endif if (converted == NULL) { - int saved_errno = errno; if (!(result == resultbuf || result == NULL)) free (result); if (buf_malloced != NULL) free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } if (converted != result + length) { - ENSURE_ALLOCATION (xsum (length, converted_len)); + ENSURE_ALLOCATION_ELSE (xsum (length, converted_len), + { free (converted); goto out_of_memory; }); DCHAR_CPY (result + length, converted, converted_len); free (converted); } @@ -2252,18 +2317,17 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, # endif if (converted == NULL) { - int saved_errno = errno; if (!(result == resultbuf || result == NULL)) free (result); if (buf_malloced != NULL) free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } if (converted != result + length) { - ENSURE_ALLOCATION (xsum (length, converted_len)); + ENSURE_ALLOCATION_ELSE (xsum (length, converted_len), + { free (converted); goto out_of_memory; }); DCHAR_CPY (result + length, converted, converted_len); free (converted); } @@ -2378,18 +2442,17 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, # endif if (converted == NULL) { - int saved_errno = errno; if (!(result == resultbuf || result == NULL)) free (result); if (buf_malloced != NULL) free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } if (converted != result + length) { - ENSURE_ALLOCATION (xsum (length, converted_len)); + ENSURE_ALLOCATION_ELSE (xsum (length, converted_len), + { free (converted); goto out_of_memory; }); DCHAR_CPY (result + length, converted, converted_len); free (converted); } @@ -2412,7 +2475,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, } } #endif -#if (!USE_SNPRINTF || !HAVE_SNPRINTF_RETVAL_C99 || USE_MSVC__SNPRINTF || (NEED_PRINTF_DIRECTIVE_LS && !defined IN_LIBINTL)) && HAVE_WCHAR_T +#if (!USE_SNPRINTF || !HAVE_SNPRINTF_RETVAL_C99 || USE_MSVC__SNPRINTF || (NEED_PRINTF_DIRECTIVE_LS && !defined IN_LIBINTL) || ENABLE_WCHAR_FALLBACK) && HAVE_WCHAR_T else if (dp->conversion == 's' # if WIDE_CHAR_VERSION && a.arg[dp->arg_index].type != TYPE_WIDE_STRING @@ -2687,11 +2750,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, if (*arg_end == 0) /* Found the terminating null wide character. */ break; -# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t - count = wcrtomb (cbuf, *arg_end, &state); -# else - count = wctomb (cbuf, *arg_end); -# endif + count = local_wcrtomb (cbuf, *arg_end, &state); if (count < 0) { /* Cannot convert. */ @@ -2703,7 +2762,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, errno = EILSEQ; return NULL; } - if (precision < count) + if (precision < (unsigned int) count) break; arg_end++; characters += count; @@ -2732,11 +2791,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, if (*arg_end == 0) /* Found the terminating null wide character. */ break; -# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t - count = wcrtomb (cbuf, *arg_end, &state); -# else - count = wctomb (cbuf, *arg_end); -# endif + count = local_wcrtomb (cbuf, *arg_end, &state); if (count < 0) { /* Cannot convert. */ @@ -2781,11 +2836,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, if (*arg == 0) abort (); -# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t - count = wcrtomb (cbuf, *arg, &state); -# else - count = wctomb (cbuf, *arg); -# endif + count = local_wcrtomb (cbuf, *arg, &state); if (count <= 0) /* Inconsistency. */ abort (); @@ -2807,14 +2858,12 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, NULL, &tmpdst_len); if (tmpdst == NULL) { - int saved_errno = errno; free (tmpsrc); if (!(result == resultbuf || result == NULL)) free (result); if (buf_malloced != NULL) free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } free (tmpsrc); @@ -2862,11 +2911,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, if (*arg == 0) abort (); -# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t - count = wcrtomb (cbuf, *arg, &state); -# else - count = wctomb (cbuf, *arg); -# endif + count = local_wcrtomb (cbuf, *arg, &state); if (count <= 0) /* Inconsistency. */ abort (); @@ -2891,11 +2936,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, if (*arg == 0) abort (); -# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t - count = wcrtomb (cbuf, *arg, &state); -# else - count = wctomb (cbuf, *arg); -# endif + count = local_wcrtomb (cbuf, *arg, &state); if (count <= 0) { /* Cannot convert. */ @@ -2914,7 +2955,8 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, } } # else - ENSURE_ALLOCATION (xsum (length, tmpdst_len)); + ENSURE_ALLOCATION_ELSE (xsum (length, tmpdst_len), + { free (tmpdst); goto out_of_memory; }); DCHAR_CPY (result + length, tmpdst, tmpdst_len); free (tmpdst); length += tmpdst_len; @@ -2931,6 +2973,209 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, # endif } #endif +#if ENABLE_WCHAR_FALLBACK && HAVE_WINT_T && !WIDE_CHAR_VERSION + else if (dp->conversion == 'c' + && a.arg[dp->arg_index].type == TYPE_WIDE_CHAR) + { + /* Implement the 'lc' directive ourselves, in order to provide + the fallback that avoids EILSEQ. */ + int flags = dp->flags; + int has_width; + size_t width; + + has_width = 0; + width = 0; + if (dp->width_start != dp->width_end) + { + if (dp->width_arg_index != ARG_NONE) + { + int arg; + + if (!(a.arg[dp->width_arg_index].type == TYPE_INT)) + abort (); + arg = a.arg[dp->width_arg_index].a.a_int; + width = arg; + if (arg < 0) + { + /* "A negative field width is taken as a '-' flag + followed by a positive field width." */ + flags |= FLAG_LEFT; + width = -width; + } + } + else + { + const FCHAR_T *digitp = dp->width_start; + + do + width = xsum (xtimes (width, 10), *digitp++ - '0'); + while (digitp != dp->width_end); + } + has_width = 1; + } + + /* %lc in vasnprintf. See the specification of fprintf. */ + { + wchar_t arg = (wchar_t) a.arg[dp->arg_index].a.a_wide_char; + size_t characters; +# if !DCHAR_IS_TCHAR + /* This code assumes that TCHAR_T is 'char'. */ + verify (sizeof (TCHAR_T) == 1); + TCHAR_T tmpsrc[64]; /* Assume MB_CUR_MAX <= 64. */ + DCHAR_T *tmpdst; + size_t tmpdst_len; +# endif + size_t w; + +# if DCHAR_IS_TCHAR + if (has_width) +# endif + { + /* Count the number of bytes. */ + characters = 0; + if (arg != 0) + { + char cbuf[64]; /* Assume MB_CUR_MAX <= 64. */ + int count; +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t + mbstate_t state; + memset (&state, '\0', sizeof (mbstate_t)); +# endif + + count = local_wcrtomb (cbuf, arg, &state); + if (count < 0) + /* Inconsistency. */ + abort (); + characters = count; + } + } +# if DCHAR_IS_TCHAR + else + { + /* The number of bytes doesn't matter. */ + characters = 0; + } +# endif + +# if !DCHAR_IS_TCHAR + /* Convert the string into a piece of temporary memory. */ + if (characters > 0) /* implies arg != 0 */ + { + char cbuf[64]; /* Assume MB_CUR_MAX <= 64. */ + int count; +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t + mbstate_t state; + memset (&state, '\0', sizeof (mbstate_t)); +# endif + + count = local_wcrtomb (cbuf, arg, &state); + if (count <= 0) + /* Inconsistency. */ + abort (); + memcpy (tmpsrc, cbuf, count); + } + + /* Convert from TCHAR_T[] to DCHAR_T[]. */ + tmpdst = + DCHAR_CONV_FROM_ENCODING (locale_charset (), + iconveh_question_mark, + tmpsrc, characters, + NULL, + NULL, &tmpdst_len); + if (tmpdst == NULL) + { + if (!(result == resultbuf || result == NULL)) + free (result); + if (buf_malloced != NULL) + free (buf_malloced); + CLEANUP (); + return NULL; + } +# endif + + if (has_width) + { +# if ENABLE_UNISTDIO + /* Outside POSIX, it's preferable to compare the width + against the number of _characters_ of the converted + value. */ + w = DCHAR_MBSNLEN (result + length, characters); +# else + /* The width is compared against the number of _bytes_ + of the converted value, says POSIX. */ + w = characters; +# endif + } + else + /* w doesn't matter. */ + w = 0; + + if (w < width && !(dp->flags & FLAG_LEFT)) + { + size_t n = width - w; + ENSURE_ALLOCATION (xsum (length, n)); + DCHAR_SET (result + length, ' ', n); + length += n; + } + +# if DCHAR_IS_TCHAR + if (has_width) + { + /* We know the number of bytes in advance. */ + ENSURE_ALLOCATION (xsum (length, characters)); + if (characters > 0) /* implies arg != 0 */ + { + int count; +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t + mbstate_t state; + memset (&state, '\0', sizeof (mbstate_t)); +# endif + + count = local_wcrtomb (result + length, arg, &state); + if (count <= 0) + /* Inconsistency. */ + abort (); + length += count; + } + } + else + { + if (arg != 0) + { + char cbuf[64]; /* Assume MB_CUR_MAX <= 64. */ + int count; +# if HAVE_WCRTOMB && !defined GNULIB_defined_mbstate_t + mbstate_t state; + memset (&state, '\0', sizeof (mbstate_t)); +# endif + + count = local_wcrtomb (cbuf, arg, &state); + if (count <= 0) + /* Inconsistency. */ + abort (); + ENSURE_ALLOCATION (xsum (length, count)); + memcpy (result + length, cbuf, count); + length += count; + } + } +# else + ENSURE_ALLOCATION_ELSE (xsum (length, tmpdst_len), + { free (tmpdst); goto out_of_memory; }); + DCHAR_CPY (result + length, tmpdst, tmpdst_len); + free (tmpdst); + length += tmpdst_len; +# endif + + if (w < width && (dp->flags & FLAG_LEFT)) + { + size_t n = width - w; + ENSURE_ALLOCATION (xsum (length, n)); + DCHAR_SET (result + length, ' ', n); + length += n; + } + } + } +#endif #if (NEED_PRINTF_DIRECTIVE_A || NEED_PRINTF_LONG_DOUBLE || NEED_PRINTF_DOUBLE) && !defined IN_LIBINTL else if ((dp->conversion == 'a' || dp->conversion == 'A') # if !(NEED_PRINTF_DIRECTIVE_A || (NEED_PRINTF_LONG_DOUBLE && NEED_PRINTF_DOUBLE)) @@ -4842,17 +5087,15 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, switch (type) { -#if HAVE_LONG_LONG_INT case TYPE_LONGLONGINT: case TYPE_ULONGLONGINT: -# if defined _WIN32 && ! defined __CYGWIN__ +#if defined _WIN32 && ! defined __CYGWIN__ *fbp++ = 'I'; *fbp++ = '6'; *fbp++ = '4'; break; -# else +#else *fbp++ = 'l'; -# endif #endif FALLTHROUGH; case TYPE_LONGINT: @@ -4878,30 +5121,32 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, #endif *fbp = dp->conversion; #if USE_SNPRINTF -# if ! (((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) \ - && !defined __UCLIBC__) \ - || (defined __APPLE__ && defined __MACH__) \ - || (defined _WIN32 && ! defined __CYGWIN__)) - fbp[1] = '%'; - fbp[2] = 'n'; - fbp[3] = '\0'; -# else - /* On glibc2 systems from glibc >= 2.3 - probably also older - ones - we know that snprintf's return value conforms to - ISO C 99: the tests gl_SNPRINTF_RETVAL_C99 and - gl_SNPRINTF_TRUNCATION_C99 pass. - Therefore we can avoid using %n in this situation. - On glibc2 systems from 2004-10-18 or newer, the use of %n - in format strings in writable memory may crash the program - (if compiled with _FORTIFY_SOURCE=2), so we should avoid it - in this situation. */ - /* On Mac OS X 10.3 or newer, we know that snprintf's return - value conforms to ISO C 99: the tests gl_SNPRINTF_RETVAL_C99 - and gl_SNPRINTF_TRUNCATION_C99 pass. - Therefore we can avoid using %n in this situation. - On Mac OS X 10.13 or newer, the use of %n in format strings - in writable memory by default crashes the program, so we - should avoid it in this situation. */ +# if ((HAVE_SNPRINTF_RETVAL_C99 && HAVE_SNPRINTF_TRUNCATION_C99) \ + || ((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) \ + && !defined __UCLIBC__) \ + || (defined __APPLE__ && defined __MACH__) \ + || defined __ANDROID__ \ + || (defined _WIN32 && ! defined __CYGWIN__)) + /* On systems where we know that snprintf's return value + conforms to ISO C 99 (HAVE_SNPRINTF_RETVAL_C99) and that + snprintf always produces NUL-terminated strings + (HAVE_SNPRINTF_TRUNCATION_C99), it is possible to avoid + using %n. And it is desirable to do so, because more and + more platforms no longer support %n, for "security reasons". + In particular, the following platforms: + - On glibc2 systems from 2004-10-18 or newer, the use of + %n in format strings in writable memory may crash the + program (if compiled with _FORTIFY_SOURCE=2). + - On Mac OS X 10.13 or newer, the use of %n in format + strings in writable memory by default crashes the + program. + - On Android, starting on 2018-03-07, the use of %n in + format strings produces a fatal error (see + <https://android.googlesource.com/platform/bionic/+/41398d03b7e8e0dfb951660ae713e682e9fc0336>). + On these platforms, HAVE_SNPRINTF_RETVAL_C99 and + HAVE_SNPRINTF_TRUNCATION_C99 are 1. We have listed them + explicitly in the condition above, in case of cross- + compilation (just to be sure). */ /* On native Windows systems (such as mingw), we can avoid using %n because: - Although the gl_SNPRINTF_TRUNCATION_C99 test fails, @@ -4915,9 +5160,13 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, Windows Vista, the use of %n in format strings by default crashes the program. See <https://gcc.gnu.org/ml/gcc/2007-06/msg00122.html> and - <https://msdn.microsoft.com/en-us/library/ms175782.aspx> + <https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/set-printf-count-output> So we should avoid %n in this situation. */ fbp[1] = '\0'; +# else /* AIX <= 5.1, HP-UX, IRIX, OSF/1, Solaris <= 9, BeOS */ + fbp[1] = '%'; + fbp[2] = 'n'; + fbp[3] = '\0'; # endif #else fbp[1] = '\0'; @@ -5061,7 +5310,6 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, SNPRINTF_BUF (arg); } break; -#if HAVE_LONG_LONG_INT case TYPE_LONGLONGINT: { long long int arg = a.arg[dp->arg_index].a.a_longlongint; @@ -5074,7 +5322,6 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, SNPRINTF_BUF (arg); } break; -#endif case TYPE_DOUBLE: { double arg = a.arg[dp->arg_index].a.a_double; @@ -5134,7 +5381,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, { /* Verify that snprintf() has NUL-terminated its result. */ - if (count < maxlen + if ((unsigned int) count < maxlen && ((TCHAR_T *) (result + length)) [count] != '\0') abort (); /* Portability hack. */ @@ -5206,15 +5453,14 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, /* Attempt to handle failure. */ if (count < 0) { - /* SNPRINTF or sprintf failed. Save and use the errno - that it has set, if any. */ - int saved_errno = errno; - if (saved_errno == 0) + /* SNPRINTF or sprintf failed. Use the errno that it + has set, if any. */ + if (errno == 0) { if (dp->conversion == 'c' || dp->conversion == 's') - saved_errno = EILSEQ; + errno = EILSEQ; else - saved_errno = EINVAL; + errno = EINVAL; } if (!(result == resultbuf || result == NULL)) @@ -5223,7 +5469,6 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } @@ -5359,16 +5604,15 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp, NULL, &tmpdst_len); if (tmpdst == NULL) { - int saved_errno = errno; if (!(result == resultbuf || result == NULL)) free (result); if (buf_malloced != NULL) free (buf_malloced); CLEANUP (); - errno = saved_errno; return NULL; } - ENSURE_ALLOCATION (xsum (length, tmpdst_len)); + ENSURE_ALLOCATION_ELSE (xsum (length, tmpdst_len), + { free (tmpdst); goto out_of_memory; }); DCHAR_CPY (result + length, tmpdst, tmpdst_len); free (tmpdst); count = tmpdst_len; |