1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "base/strings/safe_sprintf.h" 6 7#include <stdio.h> 8#include <string.h> 9 10#include <limits> 11 12#include "base/logging.h" 13#include "base/memory/scoped_ptr.h" 14#include "testing/gtest/include/gtest/gtest.h" 15 16// Death tests on Android are currently very flaky. No need to add more flaky 17// tests, as they just make it hard to spot real problems. 18// TODO(markus): See if the restrictions on Android can eventually be lifted. 19#if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID) 20#define ALLOW_DEATH_TEST 21#endif 22 23namespace base { 24namespace strings { 25 26TEST(SafeSPrintfTest, Empty) { 27 char buf[2] = { 'X', 'X' }; 28 29 // Negative buffer size should always result in an error. 30 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, "")); 31 EXPECT_EQ('X', buf[0]); 32 EXPECT_EQ('X', buf[1]); 33 34 // Zero buffer size should always result in an error. 35 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, "")); 36 EXPECT_EQ('X', buf[0]); 37 EXPECT_EQ('X', buf[1]); 38 39 // A one-byte buffer should always print a single NUL byte. 40 EXPECT_EQ(0, SafeSNPrintf(buf, 1, "")); 41 EXPECT_EQ(0, buf[0]); 42 EXPECT_EQ('X', buf[1]); 43 buf[0] = 'X'; 44 45 // A larger buffer should leave the trailing bytes unchanged. 46 EXPECT_EQ(0, SafeSNPrintf(buf, 2, "")); 47 EXPECT_EQ(0, buf[0]); 48 EXPECT_EQ('X', buf[1]); 49 buf[0] = 'X'; 50 51 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 52 EXPECT_EQ(0, SafeSPrintf(buf, "")); 53 EXPECT_EQ(0, buf[0]); 54 EXPECT_EQ('X', buf[1]); 55 buf[0] = 'X'; 56} 57 58TEST(SafeSPrintfTest, NoArguments) { 59 // Output a text message that doesn't require any substitutions. This 60 // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does 61 // always add a trailing NUL; it always deduplicates '%' characters). 62 static const char text[] = "hello world"; 63 char ref[20], buf[20]; 64 memset(ref, 'X', sizeof(char) * arraysize(buf)); 65 memcpy(buf, ref, sizeof(buf)); 66 67 // A negative buffer size should always result in an error. 68 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, text)); 69 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 70 71 // Zero buffer size should always result in an error. 72 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text)); 73 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 74 75 // A one-byte buffer should always print a single NUL byte. 76 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text)); 77 EXPECT_EQ(0, buf[0]); 78 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 79 memcpy(buf, ref, sizeof(buf)); 80 81 // A larger (but limited) buffer should always leave the trailing bytes 82 // unchanged. 83 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text)); 84 EXPECT_EQ(text[0], buf[0]); 85 EXPECT_EQ(0, buf[1]); 86 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 87 memcpy(buf, ref, sizeof(buf)); 88 89 // A unrestricted buffer length should always leave the trailing bytes 90 // unchanged. 91 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 92 SafeSNPrintf(buf, sizeof(buf), text)); 93 EXPECT_EQ(std::string(text), std::string(buf)); 94 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 95 sizeof(buf) - sizeof(text))); 96 memcpy(buf, ref, sizeof(buf)); 97 98 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 99 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text)); 100 EXPECT_EQ(std::string(text), std::string(buf)); 101 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 102 sizeof(buf) - sizeof(text))); 103 memcpy(buf, ref, sizeof(buf)); 104 105 // Check for deduplication of '%' percent characters. 106 EXPECT_EQ(1, SafeSPrintf(buf, "%%")); 107 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%")); 108 EXPECT_EQ(2, SafeSPrintf(buf, "%%X")); 109 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X")); 110#if defined(NDEBUG) 111 EXPECT_EQ(1, SafeSPrintf(buf, "%")); 112 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 113 EXPECT_EQ(2, SafeSPrintf(buf, "%X")); 114 EXPECT_EQ(3, SafeSPrintf(buf, "%%%X")); 115#elif defined(ALLOW_DEATH_TEST) 116 EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'"); 117 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 118 EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'"); 119 EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'"); 120#endif 121} 122 123TEST(SafeSPrintfTest, OneArgument) { 124 // Test basic single-argument single-character substitution. 125 const char text[] = "hello world"; 126 const char fmt[] = "hello%cworld"; 127 char ref[20], buf[20]; 128 memset(ref, 'X', sizeof(buf)); 129 memcpy(buf, ref, sizeof(buf)); 130 131 // A negative buffer size should always result in an error. 132 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, fmt, ' ')); 133 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 134 135 // Zero buffer size should always result in an error. 136 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' ')); 137 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 138 139 // A one-byte buffer should always print a single NUL byte. 140 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 141 SafeSNPrintf(buf, 1, fmt, ' ')); 142 EXPECT_EQ(0, buf[0]); 143 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 144 memcpy(buf, ref, sizeof(buf)); 145 146 // A larger (but limited) buffer should always leave the trailing bytes 147 // unchanged. 148 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 149 SafeSNPrintf(buf, 2, fmt, ' ')); 150 EXPECT_EQ(text[0], buf[0]); 151 EXPECT_EQ(0, buf[1]); 152 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 153 memcpy(buf, ref, sizeof(buf)); 154 155 // A unrestricted buffer length should always leave the trailing bytes 156 // unchanged. 157 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 158 SafeSNPrintf(buf, sizeof(buf), fmt, ' ')); 159 EXPECT_EQ(std::string(text), std::string(buf)); 160 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 161 sizeof(buf) - sizeof(text))); 162 memcpy(buf, ref, sizeof(buf)); 163 164 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 165 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' ')); 166 EXPECT_EQ(std::string(text), std::string(buf)); 167 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 168 sizeof(buf) - sizeof(text))); 169 memcpy(buf, ref, sizeof(buf)); 170 171 // Check for deduplication of '%' percent characters. 172 EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0)); 173 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0)); 174 EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0)); 175 EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0)); 176 EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0)); 177 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0)); 178#if defined(NDEBUG) 179 EXPECT_EQ(1, SafeSPrintf(buf, "%", 0)); 180 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 181#elif defined(ALLOW_DEATH_TEST) 182 EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch"); 183 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 184#endif 185} 186 187TEST(SafeSPrintfTest, MissingArg) { 188#if defined(NDEBUG) 189 char buf[20]; 190 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A')); 191 EXPECT_EQ("A%c", std::string(buf)); 192#elif defined(ALLOW_DEATH_TEST) 193 char buf[20]; 194 EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args"); 195#endif 196} 197 198TEST(SafeSPrintfTest, ASANFriendlyBufferTest) { 199 // Print into a buffer that is sized exactly to size. ASAN can verify that 200 // nobody attempts to write past the end of the buffer. 201 // There is a more complicated test in PrintLongString() that covers a lot 202 // more edge case, but it is also harder to debug in case of a failure. 203 const char kTestString[] = "This is a test"; 204 scoped_ptr<char[]> buf(new char[sizeof(kTestString)]); 205 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 206 SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString)); 207 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 208 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 209 SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString)); 210 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 211} 212 213TEST(SafeSPrintfTest, NArgs) { 214 // Pre-C++11 compilers have a different code path, that can only print 215 // up to ten distinct arguments. 216 // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't 217 // have typos in the copy-n-pasted code that is needed to deal with various 218 // numbers of arguments. 219 char buf[12]; 220 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1)); 221 EXPECT_EQ("\1", std::string(buf)); 222 EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2)); 223 EXPECT_EQ("\1\2", std::string(buf)); 224 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3)); 225 EXPECT_EQ("\1\2\3", std::string(buf)); 226 EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4)); 227 EXPECT_EQ("\1\2\3\4", std::string(buf)); 228 EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 229 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 230 EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 231 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 232 EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 233 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 234 EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8)); 235 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 236 EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c", 237 1, 2, 3, 4, 5, 6, 7, 8, 9)); 238 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 239 EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c", 240 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 241 242 // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf(). 243 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 244 EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1)); 245 EXPECT_EQ("\1", std::string(buf)); 246 EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2)); 247 EXPECT_EQ("\1\2", std::string(buf)); 248 EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3)); 249 EXPECT_EQ("\1\2\3", std::string(buf)); 250 EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4)); 251 EXPECT_EQ("\1\2\3\4", std::string(buf)); 252 EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 253 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 254 EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 255 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 256 EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 257 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 258 EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c", 259 1, 2, 3, 4, 5, 6, 7, 8)); 260 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 261 EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c", 262 1, 2, 3, 4, 5, 6, 7, 8, 9)); 263 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 264 EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c", 265 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 266 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 267} 268 269TEST(SafeSPrintfTest, DataTypes) { 270 char buf[40]; 271 272 // Bytes 273 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1)); 274 EXPECT_EQ("1", std::string(buf)); 275 EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1)); 276 EXPECT_EQ("255", std::string(buf)); 277 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1)); 278 EXPECT_EQ("1", std::string(buf)); 279 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1)); 280 EXPECT_EQ("-1", std::string(buf)); 281 EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128)); 282 EXPECT_EQ("-128", std::string(buf)); 283 284 // Half-words 285 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1)); 286 EXPECT_EQ("1", std::string(buf)); 287 EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1)); 288 EXPECT_EQ("65535", std::string(buf)); 289 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1)); 290 EXPECT_EQ("1", std::string(buf)); 291 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1)); 292 EXPECT_EQ("-1", std::string(buf)); 293 EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768)); 294 EXPECT_EQ("-32768", std::string(buf)); 295 296 // Words 297 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1)); 298 EXPECT_EQ("1", std::string(buf)); 299 EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1)); 300 EXPECT_EQ("4294967295", std::string(buf)); 301 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1)); 302 EXPECT_EQ("1", std::string(buf)); 303 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1)); 304 EXPECT_EQ("-1", std::string(buf)); 305 // Work-around for an limitation of C90 306 EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1)); 307 EXPECT_EQ("-2147483648", std::string(buf)); 308 309 // Quads 310 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1)); 311 EXPECT_EQ("1", std::string(buf)); 312 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1)); 313 EXPECT_EQ("18446744073709551615", std::string(buf)); 314 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1)); 315 EXPECT_EQ("1", std::string(buf)); 316 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1)); 317 EXPECT_EQ("-1", std::string(buf)); 318 // Work-around for an limitation of C90 319 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1)); 320 EXPECT_EQ("-9223372036854775808", std::string(buf)); 321 322 // Strings (both const and mutable). 323 EXPECT_EQ(4, SafeSPrintf(buf, "test")); 324 EXPECT_EQ("test", std::string(buf)); 325 EXPECT_EQ(4, SafeSPrintf(buf, buf)); 326 EXPECT_EQ("test", std::string(buf)); 327 328 // Pointer 329 char addr[20]; 330 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 331 SafeSPrintf(buf, "%p", buf); 332 EXPECT_EQ(std::string(addr), std::string(buf)); 333 SafeSPrintf(buf, "%p", (const char *)buf); 334 EXPECT_EQ(std::string(addr), std::string(buf)); 335 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf); 336 SafeSPrintf(buf, "%p", sprintf); 337 EXPECT_EQ(std::string(addr), std::string(buf)); 338 339 // Padding for pointers is a little more complicated because of the "0x" 340 // prefix. Padding with '0' zeros is relatively straight-forward, but 341 // padding with ' ' spaces requires more effort. 342 sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf); 343 SafeSPrintf(buf, "%019p", buf); 344 EXPECT_EQ(std::string(addr), std::string(buf)); 345 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 346 memset(addr, ' ', 347 (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1, 348 addr, strlen(addr)+1) - addr); 349 SafeSPrintf(buf, "%19p", buf); 350 EXPECT_EQ(std::string(addr), std::string(buf)); 351} 352 353namespace { 354void PrintLongString(char* buf, size_t sz) { 355 // Output a reasonably complex expression into a limited-size buffer. 356 // At least one byte is available for writing the NUL character. 357 CHECK_GT(sz, static_cast<size_t>(0)); 358 359 // Allocate slightly more space, so that we can verify that SafeSPrintf() 360 // never writes past the end of the buffer. 361 scoped_ptr<char[]> tmp(new char[sz+2]); 362 memset(tmp.get(), 'X', sz+2); 363 364 // Use SafeSPrintf() to output a complex list of arguments: 365 // - test padding and truncating %c single characters. 366 // - test truncating %s simple strings. 367 // - test mismatching arguments and truncating (for %d != %s). 368 // - test zero-padding and truncating %x hexadecimal numbers. 369 // - test outputting and truncating %d MININT. 370 // - test outputting and truncating %p arbitrary pointer values. 371 // - test outputting, padding and truncating NULL-pointer %s strings. 372 char* out = tmp.get(); 373 size_t out_sz = sz; 374 size_t len; 375 for (scoped_ptr<char[]> perfect_buf;;) { 376 size_t needed = SafeSNPrintf(out, out_sz, 377#if defined(NDEBUG) 378 "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "", 379#else 380 "A%2cong %s: %%d %010X %d %p%7s", 'l', "string", 381#endif 382 0xDEADBEEF, std::numeric_limits<intptr_t>::min(), 383 PrintLongString, static_cast<char*>(NULL)) + 1; 384 385 // Various sanity checks: 386 // The numbered of characters needed to print the full string should always 387 // be bigger or equal to the bytes that have actually been output. 388 len = strlen(tmp.get()); 389 CHECK_GE(needed, len+1); 390 391 // The number of characters output should always fit into the buffer that 392 // was passed into SafeSPrintf(). 393 CHECK_LT(len, out_sz); 394 395 // The output is always terminated with a NUL byte (actually, this test is 396 // always going to pass, as strlen() already verified this) 397 EXPECT_FALSE(tmp[len]); 398 399 // ASAN can check that we are not overwriting buffers, iff we make sure the 400 // buffer is exactly the size that we are expecting to be written. After 401 // running SafeSNPrintf() the first time, it is possible to compute the 402 // correct buffer size for this test. So, allocate a second buffer and run 403 // the exact same SafeSNPrintf() command again. 404 if (!perfect_buf.get()) { 405 out_sz = std::min(needed, sz); 406 out = new char[out_sz]; 407 perfect_buf.reset(out); 408 } else { 409 break; 410 } 411 } 412 413 // All trailing bytes are unchanged. 414 for (size_t i = len+1; i < sz+2; ++i) 415 EXPECT_EQ('X', tmp[i]); 416 417 // The text that was generated by SafeSPrintf() should always match the 418 // equivalent text generated by sprintf(). Please note that the format 419 // string for sprintf() is nor complicated, as it does not have the 420 // benefit of getting type information from the C++ compiler. 421 // 422 // N.B.: It would be so much cleaner to use snprintf(). But unfortunately, 423 // Visual Studio doesn't support this function, and the work-arounds 424 // are all really awkward. 425 char ref[256]; 426 CHECK_LE(sz, sizeof(ref)); 427 sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>", 428 static_cast<long long>(std::numeric_limits<intptr_t>::min()), 429 (long long)PrintLongString); 430 ref[sz-1] = '\000'; 431 432#if defined(NDEBUG) 433 const size_t kSSizeMax = std::numeric_limits<ssize_t>::max(); 434#else 435 const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest(); 436#endif 437 438 // Compare the output from SafeSPrintf() to the one from sprintf(). 439 EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get())); 440 441 // We allocated a slightly larger buffer, so that we could perform some 442 // extra sanity checks. Now that the tests have all passed, we copy the 443 // data to the output buffer that the caller provided. 444 memcpy(buf, tmp.get(), len+1); 445} 446 447#if !defined(NDEBUG) 448class ScopedSafeSPrintfSSizeMaxSetter { 449 public: 450 ScopedSafeSPrintfSSizeMaxSetter(size_t sz) { 451 old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest(); 452 internal::SetSafeSPrintfSSizeMaxForTest(sz); 453 } 454 455 ~ScopedSafeSPrintfSSizeMaxSetter() { 456 internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_); 457 } 458 459 private: 460 size_t old_ssize_max_; 461 462 DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter); 463}; 464#endif 465 466} // anonymous namespace 467 468TEST(SafeSPrintfTest, Truncation) { 469 // We use PrintLongString() to print a complex long string and then 470 // truncate to all possible lengths. This ends up exercising a lot of 471 // different code paths in SafeSPrintf() and IToASCII(), as truncation can 472 // happen in a lot of different states. 473 char ref[256]; 474 PrintLongString(ref, sizeof(ref)); 475 for (size_t i = strlen(ref)+1; i; --i) { 476 char buf[sizeof(ref)]; 477 PrintLongString(buf, i); 478 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 479 } 480 481 // When compiling in debug mode, we have the ability to fake a small 482 // upper limit for the maximum value that can be stored in an ssize_t. 483 // SafeSPrintf() uses this upper limit to determine how many bytes it will 484 // write to the buffer, even if the caller claimed a bigger buffer size. 485 // Repeat the truncation test and verify that this other code path in 486 // SafeSPrintf() works correctly, too. 487#if !defined(NDEBUG) 488 for (size_t i = strlen(ref)+1; i > 1; --i) { 489 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i); 490 char buf[sizeof(ref)]; 491 PrintLongString(buf, sizeof(buf)); 492 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 493 } 494 495 // kSSizeMax is also used to constrain the maximum amount of padding, before 496 // SafeSPrintf() detects an error in the format string. 497 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100); 498 char buf[256]; 499 EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' ')); 500 EXPECT_EQ(std::string(99, ' '), std::string(buf)); 501 *buf = '\000'; 502#if defined(ALLOW_DEATH_TEST) 503 EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding"); 504#endif 505 EXPECT_EQ(0, *buf); 506#endif 507} 508 509TEST(SafeSPrintfTest, Padding) { 510 char buf[40], fmt[40]; 511 512 // Chars %c 513 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A')); 514 EXPECT_EQ("A", std::string(buf)); 515 EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A')); 516 EXPECT_EQ(" A", std::string(buf)); 517 EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A')); 518 EXPECT_EQ(" A", std::string(buf)); 519 EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A')); 520 EXPECT_EQ("%-2c", std::string(buf)); 521 SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1); 522 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A')); 523 SafeSPrintf(fmt, "%%%dc", 524 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 525#if defined(NDEBUG) 526 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A')); 527 EXPECT_EQ("%c", std::string(buf)); 528#elif defined(ALLOW_DEATH_TEST) 529 EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding"); 530#endif 531 532 // Octal %o 533 EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1)); 534 EXPECT_EQ("1", std::string(buf)); 535 EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1)); 536 EXPECT_EQ(" 1", std::string(buf)); 537 EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1)); 538 EXPECT_EQ("01", std::string(buf)); 539 EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1)); 540 EXPECT_EQ(" 37777777777", std::string(buf)); 541 EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1)); 542 EXPECT_EQ("037777777777", std::string(buf)); 543 EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL)); 544 EXPECT_EQ(" 1777777777777777777777", std::string(buf)); 545 EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL)); 546 EXPECT_EQ("01777777777777777777777", std::string(buf)); 547 EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111)); 548 EXPECT_EQ("111", std::string(buf)); 549 EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1)); 550 EXPECT_EQ("%-2o", std::string(buf)); 551 SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1); 552 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 553 SafeSNPrintf(buf, 4, fmt, 1)); 554 EXPECT_EQ(" ", std::string(buf)); 555 SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1); 556 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 557 SafeSNPrintf(buf, 4, fmt, 1)); 558 EXPECT_EQ("000", std::string(buf)); 559 SafeSPrintf(fmt, "%%%do", 560 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 561#if defined(NDEBUG) 562 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 563 EXPECT_EQ("%o", std::string(buf)); 564#elif defined(ALLOW_DEATH_TEST) 565 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 566#endif 567 568 // Decimals %d 569 EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1)); 570 EXPECT_EQ("1", std::string(buf)); 571 EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1)); 572 EXPECT_EQ(" 1", std::string(buf)); 573 EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1)); 574 EXPECT_EQ("01", std::string(buf)); 575 EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1)); 576 EXPECT_EQ(" -1", std::string(buf)); 577 EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1)); 578 EXPECT_EQ("-01", std::string(buf)); 579 EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111)); 580 EXPECT_EQ("111", std::string(buf)); 581 EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111)); 582 EXPECT_EQ("-111", std::string(buf)); 583 EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1)); 584 EXPECT_EQ("%-2d", std::string(buf)); 585 SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1); 586 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 587 SafeSNPrintf(buf, 4, fmt, 1)); 588 EXPECT_EQ(" ", std::string(buf)); 589 SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1); 590 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 591 SafeSNPrintf(buf, 4, fmt, 1)); 592 EXPECT_EQ("000", std::string(buf)); 593 SafeSPrintf(fmt, "%%%dd", 594 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 595#if defined(NDEBUG) 596 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 597 EXPECT_EQ("%d", std::string(buf)); 598#elif defined(ALLOW_DEATH_TEST) 599 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 600#endif 601 602 // Hex %X 603 EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1)); 604 EXPECT_EQ("1", std::string(buf)); 605 EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1)); 606 EXPECT_EQ(" 1", std::string(buf)); 607 EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1)); 608 EXPECT_EQ("01", std::string(buf)); 609 EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1)); 610 EXPECT_EQ(" FFFFFFFF", std::string(buf)); 611 EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1)); 612 EXPECT_EQ("0FFFFFFFF", std::string(buf)); 613 EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL)); 614 EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf)); 615 EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL)); 616 EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf)); 617 EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111)); 618 EXPECT_EQ("111", std::string(buf)); 619 EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1)); 620 EXPECT_EQ("%-2X", std::string(buf)); 621 SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1); 622 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 623 SafeSNPrintf(buf, 4, fmt, 1)); 624 EXPECT_EQ(" ", std::string(buf)); 625 SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1); 626 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 627 SafeSNPrintf(buf, 4, fmt, 1)); 628 EXPECT_EQ("000", std::string(buf)); 629 SafeSPrintf(fmt, "%%%dX", 630 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 631#if defined(NDEBUG) 632 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 633 EXPECT_EQ("%X", std::string(buf)); 634#elif defined(ALLOW_DEATH_TEST) 635 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 636#endif 637 638 // Pointer %p 639 EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1)); 640 EXPECT_EQ("0x1", std::string(buf)); 641 EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1)); 642 EXPECT_EQ(" 0x1", std::string(buf)); 643 EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1)); 644 EXPECT_EQ("0x01", std::string(buf)); 645 EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111)); 646 EXPECT_EQ("0x111", std::string(buf)); 647 EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1)); 648 EXPECT_EQ("%-2p", std::string(buf)); 649 SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1); 650 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 651 SafeSNPrintf(buf, 4, fmt, (void*)1)); 652 EXPECT_EQ(" ", std::string(buf)); 653 SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1); 654 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 655 SafeSNPrintf(buf, 4, fmt, (void*)1)); 656 EXPECT_EQ("0x0", std::string(buf)); 657 SafeSPrintf(fmt, "%%%dp", 658 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 659#if defined(NDEBUG) 660 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 661 EXPECT_EQ("%p", std::string(buf)); 662#elif defined(ALLOW_DEATH_TEST) 663 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 664#endif 665 666 // String 667 EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A")); 668 EXPECT_EQ("A", std::string(buf)); 669 EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A")); 670 EXPECT_EQ(" A", std::string(buf)); 671 EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A")); 672 EXPECT_EQ(" A", std::string(buf)); 673 EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA")); 674 EXPECT_EQ("AAA", std::string(buf)); 675 EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A")); 676 EXPECT_EQ("%-2s", std::string(buf)); 677 SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1); 678 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 679 SafeSNPrintf(buf, 4, fmt, "A")); 680 EXPECT_EQ(" ", std::string(buf)); 681 SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1); 682 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 683 SafeSNPrintf(buf, 4, fmt, "A")); 684 EXPECT_EQ(" ", std::string(buf)); 685 SafeSPrintf(fmt, "%%%ds", 686 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 687#if defined(NDEBUG) 688 EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A")); 689 EXPECT_EQ("%s", std::string(buf)); 690#elif defined(ALLOW_DEATH_TEST) 691 EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding"); 692#endif 693} 694 695TEST(SafeSPrintfTest, EmbeddedNul) { 696 char buf[] = { 'X', 'X', 'X', 'X' }; 697 EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0)); 698 EXPECT_EQ(' ', buf[0]); 699 EXPECT_EQ(' ', buf[1]); 700 EXPECT_EQ(0, buf[2]); 701 EXPECT_EQ('X', buf[3]); 702 703 // Check handling of a NUL format character. N.B. this takes two different 704 // code paths depending on whether we are actually passing arguments. If 705 // we don't have any arguments, we are running in the fast-path code, that 706 // looks (almost) like a strncpy(). 707#if defined(NDEBUG) 708 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 709 EXPECT_EQ("%%", std::string(buf)); 710 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 711 EXPECT_EQ("%%", std::string(buf)); 712#elif defined(ALLOW_DEATH_TEST) 713 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 714 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 715#endif 716} 717 718TEST(SafeSPrintfTest, EmitNULL) { 719 char buf[40]; 720#if defined(__GNUC__) 721#pragma GCC diagnostic push 722#pragma GCC diagnostic ignored "-Wconversion-null" 723#endif 724 EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL)); 725 EXPECT_EQ("0", std::string(buf)); 726 EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL)); 727 EXPECT_EQ("0x0", std::string(buf)); 728 EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL)); 729 EXPECT_EQ("<NULL>", std::string(buf)); 730#if defined(__GCC__) 731#pragma GCC diagnostic pop 732#endif 733} 734 735TEST(SafeSPrintfTest, PointerSize) { 736 // The internal data representation is a 64bit value, independent of the 737 // native word size. We want to perform sign-extension for signed integers, 738 // but we want to avoid doing so for pointer types. This could be a 739 // problem on systems, where pointers are only 32bit. This tests verifies 740 // that there is no such problem. 741 char *str = reinterpret_cast<char *>(0x80000000u); 742 void *ptr = str; 743 char buf[40]; 744 EXPECT_EQ(10, SafeSPrintf(buf, "%p", str)); 745 EXPECT_EQ("0x80000000", std::string(buf)); 746 EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr)); 747 EXPECT_EQ("0x80000000", std::string(buf)); 748} 749 750} // namespace strings 751} // namespace base 752