ABase.h revision a9522673f3076ea937eb2912945d7ed646ca05df
1dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber/* 2dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * Copyright (C) 2010 The Android Open Source Project 3dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * 4dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * Licensed under the Apache License, Version 2.0 (the "License"); 5dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * you may not use this file except in compliance with the License. 6dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * You may obtain a copy of the License at 7dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * 8dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * http://www.apache.org/licenses/LICENSE-2.0 9dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * 10dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * Unless required by applicable law or agreed to in writing, software 11dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * distributed under the License is distributed on an "AS IS" BASIS, 12dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * See the License for the specific language governing permissions and 14dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * limitations under the License. 15dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber */ 16dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber 17dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber#ifndef A_BASE_H_ 18dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber 19e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland#define A_BASE_H_ 20e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland 21dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber#define ARRAY_SIZE(a) (sizeof(a) / sizeof(*(a))) 22e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland 23dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber#define DISALLOW_EVIL_CONSTRUCTORS(name) \ 2490349b3e11ec6f148211a9e29cb80644bc35d382Andreas Huber name(const name &); \ 25e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland name &operator=(const name &) 26dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber 27e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland/* Returns true if the size parameter is safe for new array allocation (32-bit) 2890349b3e11ec6f148211a9e29cb80644bc35d382Andreas Huber * 29dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * Example usage: 30adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * 31adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * if (!isSafeArraySize<uint32_t>(arraySize)) { 32adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * return BAD_VALUE; 33adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * } 34adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * ... 35adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * uint32_t *myArray = new uint32_t[arraySize]; 36dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * 3727538df549cb37c4400183cce859cece6f8d8cdaSteven Moreland * There is a bug in gcc versions earlier than 4.8 where the new[] array allocation 3827538df549cb37c4400183cce859cece6f8d8cdaSteven Moreland * will overflow in the internal 32 bit heap allocation, resulting in an 39dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * underallocated array. This is a security issue that allows potential overwriting 40adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * of other heap data. 41adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * 42adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * An alternative to checking is to create a safe new array template function which 43adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * either throws a std::bad_alloc exception or returns NULL/nullptr_t; NULL considered 44adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * safe since normal access of NULL throws an exception. 45adcb896fd6e476f277d6f1d20e2e50b8e81c4369Steven Moreland * 46dab5fc65b92b37ee623b10f86a6ccf1709ba17d4Andreas Huber * https://securityblog.redhat.com/2012/10/31/array-allocation-in-cxx/ 47727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenen */ 48727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenentemplate <typename T, typename S> 49727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenenbool isSafeArraySize(S size) { 50727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenen return size >= 0 // in case S is signed, ignored if not. 51727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenen && size <= 0xffffffff / sizeof(T); // max-unsigned-32-bit-int / element-size. 52e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland} 53727f7bf84f28765608548a6afe8f54c43a4ccf64Martijn Coenen 54e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland#endif // A_BASE_H_ 55e8e63aae6f705cbe316a1d9a7780f9f534bc3948Steven Moreland