1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "base/strings/safe_sprintf.h"
6
7#include <stdio.h>
8#include <string.h>
9
10#include <limits>
11
12#include "base/logging.h"
13#include "base/memory/scoped_ptr.h"
14#include "testing/gtest/include/gtest/gtest.h"
15
16// Death tests on Android are currently very flaky. No need to add more flaky
17// tests, as they just make it hard to spot real problems.
18// TODO(markus): See if the restrictions on Android can eventually be lifted.
19#if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID)
20#define ALLOW_DEATH_TEST
21#endif
22
23namespace base {
24namespace strings {
25
26TEST(SafeSPrintfTest, Empty) {
27  char buf[2] = { 'X', 'X' };
28
29  // Negative buffer size should always result in an error.
30  EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), ""));
31  EXPECT_EQ('X', buf[0]);
32  EXPECT_EQ('X', buf[1]);
33
34  // Zero buffer size should always result in an error.
35  EXPECT_EQ(-1, SafeSNPrintf(buf, 0, ""));
36  EXPECT_EQ('X', buf[0]);
37  EXPECT_EQ('X', buf[1]);
38
39  // A one-byte buffer should always print a single NUL byte.
40  EXPECT_EQ(0, SafeSNPrintf(buf, 1, ""));
41  EXPECT_EQ(0, buf[0]);
42  EXPECT_EQ('X', buf[1]);
43  buf[0] = 'X';
44
45  // A larger buffer should leave the trailing bytes unchanged.
46  EXPECT_EQ(0, SafeSNPrintf(buf, 2, ""));
47  EXPECT_EQ(0, buf[0]);
48  EXPECT_EQ('X', buf[1]);
49  buf[0] = 'X';
50
51  // The same test using SafeSPrintf() instead of SafeSNPrintf().
52  EXPECT_EQ(0, SafeSPrintf(buf, ""));
53  EXPECT_EQ(0, buf[0]);
54  EXPECT_EQ('X', buf[1]);
55  buf[0] = 'X';
56}
57
58TEST(SafeSPrintfTest, NoArguments) {
59  // Output a text message that doesn't require any substitutions. This
60  // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does
61  // always add a trailing NUL; it always deduplicates '%' characters).
62  static const char text[] = "hello world";
63  char ref[20], buf[20];
64  memset(ref, 'X', sizeof(char) * arraysize(buf));
65  memcpy(buf, ref, sizeof(buf));
66
67  // A negative buffer size should always result in an error.
68  EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text));
69  EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
70
71  // Zero buffer size should always result in an error.
72  EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text));
73  EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
74
75  // A one-byte buffer should always print a single NUL byte.
76  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text));
77  EXPECT_EQ(0, buf[0]);
78  EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
79  memcpy(buf, ref, sizeof(buf));
80
81  // A larger (but limited) buffer should always leave the trailing bytes
82  // unchanged.
83  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text));
84  EXPECT_EQ(text[0], buf[0]);
85  EXPECT_EQ(0, buf[1]);
86  EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
87  memcpy(buf, ref, sizeof(buf));
88
89  // A unrestricted buffer length should always leave the trailing bytes
90  // unchanged.
91  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
92            SafeSNPrintf(buf, sizeof(buf), text));
93  EXPECT_EQ(std::string(text), std::string(buf));
94  EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
95                      sizeof(buf) - sizeof(text)));
96  memcpy(buf, ref, sizeof(buf));
97
98  // The same test using SafeSPrintf() instead of SafeSNPrintf().
99  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text));
100  EXPECT_EQ(std::string(text), std::string(buf));
101  EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
102                      sizeof(buf) - sizeof(text)));
103  memcpy(buf, ref, sizeof(buf));
104
105  // Check for deduplication of '%' percent characters.
106  EXPECT_EQ(1, SafeSPrintf(buf, "%%"));
107  EXPECT_EQ(2, SafeSPrintf(buf, "%%%%"));
108  EXPECT_EQ(2, SafeSPrintf(buf, "%%X"));
109  EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X"));
110#if defined(NDEBUG)
111  EXPECT_EQ(1, SafeSPrintf(buf, "%"));
112  EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
113  EXPECT_EQ(2, SafeSPrintf(buf, "%X"));
114  EXPECT_EQ(3, SafeSPrintf(buf, "%%%X"));
115#elif defined(ALLOW_DEATH_TEST)
116  EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'");
117  EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
118  EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'");
119  EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'");
120#endif
121}
122
123TEST(SafeSPrintfTest, OneArgument) {
124  // Test basic single-argument single-character substitution.
125  const char text[] = "hello world";
126  const char fmt[]  = "hello%cworld";
127  char ref[20], buf[20];
128  memset(ref, 'X', sizeof(buf));
129  memcpy(buf, ref, sizeof(buf));
130
131  // A negative buffer size should always result in an error.
132  EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' '));
133  EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
134
135  // Zero buffer size should always result in an error.
136  EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' '));
137  EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
138
139  // A one-byte buffer should always print a single NUL byte.
140  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
141            SafeSNPrintf(buf, 1, fmt, ' '));
142  EXPECT_EQ(0, buf[0]);
143  EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
144  memcpy(buf, ref, sizeof(buf));
145
146  // A larger (but limited) buffer should always leave the trailing bytes
147  // unchanged.
148  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
149            SafeSNPrintf(buf, 2, fmt, ' '));
150  EXPECT_EQ(text[0], buf[0]);
151  EXPECT_EQ(0, buf[1]);
152  EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
153  memcpy(buf, ref, sizeof(buf));
154
155  // A unrestricted buffer length should always leave the trailing bytes
156  // unchanged.
157  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
158            SafeSNPrintf(buf, sizeof(buf), fmt, ' '));
159  EXPECT_EQ(std::string(text), std::string(buf));
160  EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
161                      sizeof(buf) - sizeof(text)));
162  memcpy(buf, ref, sizeof(buf));
163
164  // The same test using SafeSPrintf() instead of SafeSNPrintf().
165  EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' '));
166  EXPECT_EQ(std::string(text), std::string(buf));
167  EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
168                      sizeof(buf) - sizeof(text)));
169  memcpy(buf, ref, sizeof(buf));
170
171  // Check for deduplication of '%' percent characters.
172  EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0));
173  EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0));
174  EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0));
175  EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0));
176  EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0));
177  EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0));
178#if defined(NDEBUG)
179  EXPECT_EQ(1, SafeSPrintf(buf, "%", 0));
180  EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
181#elif defined(ALLOW_DEATH_TEST)
182  EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch");
183  EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
184#endif
185}
186
187TEST(SafeSPrintfTest, MissingArg) {
188#if defined(NDEBUG)
189  char buf[20];
190  EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A'));
191  EXPECT_EQ("A%c", std::string(buf));
192#elif defined(ALLOW_DEATH_TEST)
193  char buf[20];
194  EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args");
195#endif
196}
197
198TEST(SafeSPrintfTest, ASANFriendlyBufferTest) {
199  // Print into a buffer that is sized exactly to size. ASAN can verify that
200  // nobody attempts to write past the end of the buffer.
201  // There is a more complicated test in PrintLongString() that covers a lot
202  // more edge case, but it is also harder to debug in case of a failure.
203  const char kTestString[] = "This is a test";
204  scoped_ptr<char[]> buf(new char[sizeof(kTestString)]);
205  EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
206            SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString));
207  EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
208  EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
209            SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString));
210  EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
211}
212
213TEST(SafeSPrintfTest, NArgs) {
214  // Pre-C++11 compilers have a different code path, that can only print
215  // up to ten distinct arguments.
216  // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't
217  // have typos in the copy-n-pasted code that is needed to deal with various
218  // numbers of arguments.
219  char buf[12];
220  EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1));
221  EXPECT_EQ("\1", std::string(buf));
222  EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2));
223  EXPECT_EQ("\1\2", std::string(buf));
224  EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3));
225  EXPECT_EQ("\1\2\3", std::string(buf));
226  EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4));
227  EXPECT_EQ("\1\2\3\4", std::string(buf));
228  EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5));
229  EXPECT_EQ("\1\2\3\4\5", std::string(buf));
230  EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
231  EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
232  EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
233  EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
234  EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8));
235  EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
236  EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c",
237                           1, 2, 3, 4, 5, 6, 7, 8, 9));
238  EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
239  EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c",
240                            1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
241
242  // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf().
243  EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
244  EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1));
245  EXPECT_EQ("\1", std::string(buf));
246  EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2));
247  EXPECT_EQ("\1\2", std::string(buf));
248  EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3));
249  EXPECT_EQ("\1\2\3", std::string(buf));
250  EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4));
251  EXPECT_EQ("\1\2\3\4", std::string(buf));
252  EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5));
253  EXPECT_EQ("\1\2\3\4\5", std::string(buf));
254  EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
255  EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
256  EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
257  EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
258  EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c",
259                            1, 2, 3, 4, 5, 6, 7, 8));
260  EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
261  EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c",
262                            1, 2, 3, 4, 5, 6, 7, 8, 9));
263  EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
264  EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c",
265                             1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
266  EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
267}
268
269TEST(SafeSPrintfTest, DataTypes) {
270  char buf[40];
271
272  // Bytes
273  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1));
274  EXPECT_EQ("1", std::string(buf));
275  EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1));
276  EXPECT_EQ("255", std::string(buf));
277  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1));
278  EXPECT_EQ("1", std::string(buf));
279  EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1));
280  EXPECT_EQ("-1", std::string(buf));
281  EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128));
282  EXPECT_EQ("-128", std::string(buf));
283
284  // Half-words
285  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1));
286  EXPECT_EQ("1", std::string(buf));
287  EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1));
288  EXPECT_EQ("65535", std::string(buf));
289  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1));
290  EXPECT_EQ("1", std::string(buf));
291  EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1));
292  EXPECT_EQ("-1", std::string(buf));
293  EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768));
294  EXPECT_EQ("-32768", std::string(buf));
295
296  // Words
297  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1));
298  EXPECT_EQ("1", std::string(buf));
299  EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1));
300  EXPECT_EQ("4294967295", std::string(buf));
301  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1));
302  EXPECT_EQ("1", std::string(buf));
303  EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1));
304  EXPECT_EQ("-1", std::string(buf));
305  // Work-around for an limitation of C90
306  EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1));
307  EXPECT_EQ("-2147483648", std::string(buf));
308
309  // Quads
310  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1));
311  EXPECT_EQ("1", std::string(buf));
312  EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1));
313  EXPECT_EQ("18446744073709551615", std::string(buf));
314  EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1));
315  EXPECT_EQ("1", std::string(buf));
316  EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1));
317  EXPECT_EQ("-1", std::string(buf));
318  // Work-around for an limitation of C90
319  EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1));
320  EXPECT_EQ("-9223372036854775808", std::string(buf));
321
322  // Strings (both const and mutable).
323  EXPECT_EQ(4, SafeSPrintf(buf, "test"));
324  EXPECT_EQ("test", std::string(buf));
325  EXPECT_EQ(4, SafeSPrintf(buf, buf));
326  EXPECT_EQ("test", std::string(buf));
327
328  // Pointer
329  char addr[20];
330  sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
331  SafeSPrintf(buf, "%p", buf);
332  EXPECT_EQ(std::string(addr), std::string(buf));
333  SafeSPrintf(buf, "%p", (const char *)buf);
334  EXPECT_EQ(std::string(addr), std::string(buf));
335  sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf);
336  SafeSPrintf(buf, "%p", sprintf);
337  EXPECT_EQ(std::string(addr), std::string(buf));
338
339  // Padding for pointers is a little more complicated because of the "0x"
340  // prefix. Padding with '0' zeros is relatively straight-forward, but
341  // padding with ' ' spaces requires more effort.
342  sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf);
343  SafeSPrintf(buf, "%019p", buf);
344  EXPECT_EQ(std::string(addr), std::string(buf));
345  sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
346  memset(addr, ' ',
347         (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1,
348                        addr, strlen(addr)+1) - addr);
349  SafeSPrintf(buf, "%19p", buf);
350  EXPECT_EQ(std::string(addr), std::string(buf));
351}
352
353namespace {
354void PrintLongString(char* buf, size_t sz) {
355  // Output a reasonably complex expression into a limited-size buffer.
356  // At least one byte is available for writing the NUL character.
357  CHECK_GT(sz, static_cast<size_t>(0));
358
359  // Allocate slightly more space, so that we can verify that SafeSPrintf()
360  // never writes past the end of the buffer.
361  scoped_ptr<char[]> tmp(new char[sz+2]);
362  memset(tmp.get(), 'X', sz+2);
363
364  // Use SafeSPrintf() to output a complex list of arguments:
365  // - test padding and truncating %c single characters.
366  // - test truncating %s simple strings.
367  // - test mismatching arguments and truncating (for %d != %s).
368  // - test zero-padding and truncating %x hexadecimal numbers.
369  // - test outputting and truncating %d MININT.
370  // - test outputting and truncating %p arbitrary pointer values.
371  // - test outputting, padding and truncating NULL-pointer %s strings.
372  char* out = tmp.get();
373  size_t out_sz = sz;
374  size_t len;
375  for (scoped_ptr<char[]> perfect_buf;;) {
376    size_t needed = SafeSNPrintf(out, out_sz,
377#if defined(NDEBUG)
378                            "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "",
379#else
380                            "A%2cong %s: %%d %010X %d %p%7s", 'l', "string",
381#endif
382                            0xDEADBEEF, std::numeric_limits<intptr_t>::min(),
383                            PrintLongString, static_cast<char*>(NULL)) + 1;
384
385    // Various sanity checks:
386    // The numbered of characters needed to print the full string should always
387    // be bigger or equal to the bytes that have actually been output.
388    len = strlen(tmp.get());
389    CHECK_GE(needed, len+1);
390
391    // The number of characters output should always fit into the buffer that
392    // was passed into SafeSPrintf().
393    CHECK_LT(len, out_sz);
394
395    // The output is always terminated with a NUL byte (actually, this test is
396    // always going to pass, as strlen() already verified this)
397    EXPECT_FALSE(tmp[len]);
398
399    // ASAN can check that we are not overwriting buffers, iff we make sure the
400    // buffer is exactly the size that we are expecting to be written. After
401    // running SafeSNPrintf() the first time, it is possible to compute the
402    // correct buffer size for this test. So, allocate a second buffer and run
403    // the exact same SafeSNPrintf() command again.
404    if (!perfect_buf.get()) {
405      out_sz = std::min(needed, sz);
406      out = new char[out_sz];
407      perfect_buf.reset(out);
408    } else {
409      break;
410    }
411  }
412
413  // All trailing bytes are unchanged.
414  for (size_t i = len+1; i < sz+2; ++i)
415    EXPECT_EQ('X', tmp[i]);
416
417  // The text that was generated by SafeSPrintf() should always match the
418  // equivalent text generated by sprintf(). Please note that the format
419  // string for sprintf() is not complicated, as it does not have the
420  // benefit of getting type information from the C++ compiler.
421  //
422  // N.B.: It would be so much cleaner to use snprintf(). But unfortunately,
423  //       Visual Studio doesn't support this function, and the work-arounds
424  //       are all really awkward.
425  char ref[256];
426  CHECK_LE(sz, sizeof(ref));
427  sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>",
428          static_cast<long long>(std::numeric_limits<intptr_t>::min()),
429          static_cast<unsigned long long>(
430            reinterpret_cast<uintptr_t>(PrintLongString)));
431  ref[sz-1] = '\000';
432
433#if defined(NDEBUG)
434  const size_t kSSizeMax = std::numeric_limits<ssize_t>::max();
435#else
436  const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest();
437#endif
438
439  // Compare the output from SafeSPrintf() to the one from sprintf().
440  EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get()));
441
442  // We allocated a slightly larger buffer, so that we could perform some
443  // extra sanity checks. Now that the tests have all passed, we copy the
444  // data to the output buffer that the caller provided.
445  memcpy(buf, tmp.get(), len+1);
446}
447
448#if !defined(NDEBUG)
449class ScopedSafeSPrintfSSizeMaxSetter {
450 public:
451  ScopedSafeSPrintfSSizeMaxSetter(size_t sz) {
452    old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest();
453    internal::SetSafeSPrintfSSizeMaxForTest(sz);
454  }
455
456  ~ScopedSafeSPrintfSSizeMaxSetter() {
457    internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_);
458  }
459
460 private:
461  size_t old_ssize_max_;
462
463  DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter);
464};
465#endif
466
467}  // anonymous namespace
468
469TEST(SafeSPrintfTest, Truncation) {
470  // We use PrintLongString() to print a complex long string and then
471  // truncate to all possible lengths. This ends up exercising a lot of
472  // different code paths in SafeSPrintf() and IToASCII(), as truncation can
473  // happen in a lot of different states.
474  char ref[256];
475  PrintLongString(ref, sizeof(ref));
476  for (size_t i = strlen(ref)+1; i; --i) {
477    char buf[sizeof(ref)];
478    PrintLongString(buf, i);
479    EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
480  }
481
482  // When compiling in debug mode, we have the ability to fake a small
483  // upper limit for the maximum value that can be stored in an ssize_t.
484  // SafeSPrintf() uses this upper limit to determine how many bytes it will
485  // write to the buffer, even if the caller claimed a bigger buffer size.
486  // Repeat the truncation test and verify that this other code path in
487  // SafeSPrintf() works correctly, too.
488#if !defined(NDEBUG)
489  for (size_t i = strlen(ref)+1; i > 1; --i) {
490    ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i);
491    char buf[sizeof(ref)];
492    PrintLongString(buf, sizeof(buf));
493    EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
494  }
495
496  // kSSizeMax is also used to constrain the maximum amount of padding, before
497  // SafeSPrintf() detects an error in the format string.
498  ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100);
499  char buf[256];
500  EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' '));
501  EXPECT_EQ(std::string(99, ' '), std::string(buf));
502  *buf = '\000';
503#if defined(ALLOW_DEATH_TEST)
504  EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding");
505#endif
506  EXPECT_EQ(0, *buf);
507#endif
508}
509
510TEST(SafeSPrintfTest, Padding) {
511  char buf[40], fmt[40];
512
513  // Chars %c
514  EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A'));
515  EXPECT_EQ("A", std::string(buf));
516  EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A'));
517  EXPECT_EQ(" A", std::string(buf));
518  EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A'));
519  EXPECT_EQ(" A", std::string(buf));
520  EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A'));
521  EXPECT_EQ("%-2c", std::string(buf));
522  SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1);
523  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A'));
524  SafeSPrintf(fmt, "%%%dc",
525              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
526#if defined(NDEBUG)
527  EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A'));
528  EXPECT_EQ("%c", std::string(buf));
529#elif defined(ALLOW_DEATH_TEST)
530  EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding");
531#endif
532
533  // Octal %o
534  EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1));
535  EXPECT_EQ("1", std::string(buf));
536  EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1));
537  EXPECT_EQ(" 1", std::string(buf));
538  EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1));
539  EXPECT_EQ("01", std::string(buf));
540  EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1));
541  EXPECT_EQ(" 37777777777", std::string(buf));
542  EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1));
543  EXPECT_EQ("037777777777", std::string(buf));
544  EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL));
545  EXPECT_EQ(" 1777777777777777777777", std::string(buf));
546  EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL));
547  EXPECT_EQ("01777777777777777777777", std::string(buf));
548  EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111));
549  EXPECT_EQ("111", std::string(buf));
550  EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1));
551  EXPECT_EQ("%-2o", std::string(buf));
552  SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1);
553  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
554            SafeSNPrintf(buf, 4, fmt, 1));
555  EXPECT_EQ("   ", std::string(buf));
556  SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1);
557  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
558            SafeSNPrintf(buf, 4, fmt, 1));
559  EXPECT_EQ("000", std::string(buf));
560  SafeSPrintf(fmt, "%%%do",
561              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
562#if defined(NDEBUG)
563  EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
564  EXPECT_EQ("%o", std::string(buf));
565#elif defined(ALLOW_DEATH_TEST)
566  EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
567#endif
568
569  // Decimals %d
570  EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1));
571  EXPECT_EQ("1", std::string(buf));
572  EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1));
573  EXPECT_EQ(" 1", std::string(buf));
574  EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1));
575  EXPECT_EQ("01", std::string(buf));
576  EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1));
577  EXPECT_EQ(" -1", std::string(buf));
578  EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1));
579  EXPECT_EQ("-01", std::string(buf));
580  EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111));
581  EXPECT_EQ("111", std::string(buf));
582  EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111));
583  EXPECT_EQ("-111", std::string(buf));
584  EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1));
585  EXPECT_EQ("%-2d", std::string(buf));
586  SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1);
587  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
588            SafeSNPrintf(buf, 4, fmt, 1));
589  EXPECT_EQ("   ", std::string(buf));
590  SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1);
591  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
592            SafeSNPrintf(buf, 4, fmt, 1));
593  EXPECT_EQ("000", std::string(buf));
594  SafeSPrintf(fmt, "%%%dd",
595              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
596#if defined(NDEBUG)
597  EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
598  EXPECT_EQ("%d", std::string(buf));
599#elif defined(ALLOW_DEATH_TEST)
600  EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
601#endif
602
603  // Hex %X
604  EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1));
605  EXPECT_EQ("1", std::string(buf));
606  EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1));
607  EXPECT_EQ(" 1", std::string(buf));
608  EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1));
609  EXPECT_EQ("01", std::string(buf));
610  EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1));
611  EXPECT_EQ(" FFFFFFFF", std::string(buf));
612  EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1));
613  EXPECT_EQ("0FFFFFFFF", std::string(buf));
614  EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL));
615  EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf));
616  EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL));
617  EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf));
618  EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111));
619  EXPECT_EQ("111", std::string(buf));
620  EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1));
621  EXPECT_EQ("%-2X", std::string(buf));
622  SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1);
623  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
624            SafeSNPrintf(buf, 4, fmt, 1));
625  EXPECT_EQ("   ", std::string(buf));
626  SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1);
627  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
628            SafeSNPrintf(buf, 4, fmt, 1));
629  EXPECT_EQ("000", std::string(buf));
630  SafeSPrintf(fmt, "%%%dX",
631              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
632#if defined(NDEBUG)
633  EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
634  EXPECT_EQ("%X", std::string(buf));
635#elif defined(ALLOW_DEATH_TEST)
636  EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
637#endif
638
639  // Pointer %p
640  EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1));
641  EXPECT_EQ("0x1", std::string(buf));
642  EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1));
643  EXPECT_EQ(" 0x1", std::string(buf));
644  EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1));
645  EXPECT_EQ("0x01", std::string(buf));
646  EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111));
647  EXPECT_EQ("0x111", std::string(buf));
648  EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1));
649  EXPECT_EQ("%-2p", std::string(buf));
650  SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1);
651  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
652            SafeSNPrintf(buf, 4, fmt, (void*)1));
653  EXPECT_EQ("   ", std::string(buf));
654  SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1);
655  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
656            SafeSNPrintf(buf, 4, fmt, (void*)1));
657  EXPECT_EQ("0x0", std::string(buf));
658  SafeSPrintf(fmt, "%%%dp",
659              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
660#if defined(NDEBUG)
661  EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
662  EXPECT_EQ("%p", std::string(buf));
663#elif defined(ALLOW_DEATH_TEST)
664  EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
665#endif
666
667  // String
668  EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A"));
669  EXPECT_EQ("A", std::string(buf));
670  EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A"));
671  EXPECT_EQ(" A", std::string(buf));
672  EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A"));
673  EXPECT_EQ(" A", std::string(buf));
674  EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA"));
675  EXPECT_EQ("AAA", std::string(buf));
676  EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A"));
677  EXPECT_EQ("%-2s", std::string(buf));
678  SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1);
679  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
680            SafeSNPrintf(buf, 4, fmt, "A"));
681  EXPECT_EQ("   ", std::string(buf));
682  SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1);
683  EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
684            SafeSNPrintf(buf, 4, fmt, "A"));
685  EXPECT_EQ("   ", std::string(buf));
686  SafeSPrintf(fmt, "%%%ds",
687              static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
688#if defined(NDEBUG)
689  EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A"));
690  EXPECT_EQ("%s", std::string(buf));
691#elif defined(ALLOW_DEATH_TEST)
692  EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding");
693#endif
694}
695
696TEST(SafeSPrintfTest, EmbeddedNul) {
697  char buf[] = { 'X', 'X', 'X', 'X' };
698  EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0));
699  EXPECT_EQ(' ', buf[0]);
700  EXPECT_EQ(' ', buf[1]);
701  EXPECT_EQ(0,   buf[2]);
702  EXPECT_EQ('X', buf[3]);
703
704  // Check handling of a NUL format character. N.B. this takes two different
705  // code paths depending on whether we are actually passing arguments. If
706  // we don't have any arguments, we are running in the fast-path code, that
707  // looks (almost) like a strncpy().
708#if defined(NDEBUG)
709  EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
710  EXPECT_EQ("%%", std::string(buf));
711  EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
712  EXPECT_EQ("%%", std::string(buf));
713#elif defined(ALLOW_DEATH_TEST)
714  EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
715  EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
716#endif
717}
718
719TEST(SafeSPrintfTest, EmitNULL) {
720  char buf[40];
721#if defined(__GNUC__)
722#pragma GCC diagnostic push
723#pragma GCC diagnostic ignored "-Wconversion-null"
724#endif
725  EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL));
726  EXPECT_EQ("0", std::string(buf));
727  EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL));
728  EXPECT_EQ("0x0", std::string(buf));
729  EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL));
730  EXPECT_EQ("<NULL>", std::string(buf));
731#if defined(__GCC__)
732#pragma GCC diagnostic pop
733#endif
734}
735
736TEST(SafeSPrintfTest, PointerSize) {
737  // The internal data representation is a 64bit value, independent of the
738  // native word size. We want to perform sign-extension for signed integers,
739  // but we want to avoid doing so for pointer types. This could be a
740  // problem on systems, where pointers are only 32bit. This tests verifies
741  // that there is no such problem.
742  char *str = reinterpret_cast<char *>(0x80000000u);
743  void *ptr = str;
744  char buf[40];
745  EXPECT_EQ(10, SafeSPrintf(buf, "%p", str));
746  EXPECT_EQ("0x80000000", std::string(buf));
747  EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr));
748  EXPECT_EQ("0x80000000", std::string(buf));
749}
750
751}  // namespace strings
752}  // namespace base
753