safe_sprintf_unittest.cc revision 58537e28ecd584eab876aee8be7156509866d23a
1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "base/strings/safe_sprintf.h" 6 7#include <stdio.h> 8#include <string.h> 9 10#include <limits> 11 12#include "base/logging.h" 13#include "base/memory/scoped_ptr.h" 14#include "testing/gtest/include/gtest/gtest.h" 15 16// Death tests on Android are currently very flaky. No need to add more flaky 17// tests, as they just make it hard to spot real problems. 18// TODO(markus): See if the restrictions on Android can eventually be lifted. 19#if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID) 20#define ALLOW_DEATH_TEST 21#endif 22 23namespace base { 24namespace strings { 25 26TEST(SafeSPrintfTest, Empty) { 27 char buf[2] = { 'X', 'X' }; 28 29 // Negative buffer size should always result in an error. 30 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, "")); 31 EXPECT_EQ('X', buf[0]); 32 EXPECT_EQ('X', buf[1]); 33 34 // Zero buffer size should always result in an error. 35 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, "")); 36 EXPECT_EQ('X', buf[0]); 37 EXPECT_EQ('X', buf[1]); 38 39 // A one-byte buffer should always print a single NUL byte. 40 EXPECT_EQ(0, SafeSNPrintf(buf, 1, "")); 41 EXPECT_EQ(0, buf[0]); 42 EXPECT_EQ('X', buf[1]); 43 buf[0] = 'X'; 44 45 // A larger buffer should leave the trailing bytes unchanged. 46 EXPECT_EQ(0, SafeSNPrintf(buf, 2, "")); 47 EXPECT_EQ(0, buf[0]); 48 EXPECT_EQ('X', buf[1]); 49 buf[0] = 'X'; 50 51 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 52 EXPECT_EQ(0, SafeSPrintf(buf, "")); 53 EXPECT_EQ(0, buf[0]); 54 EXPECT_EQ('X', buf[1]); 55 buf[0] = 'X'; 56} 57 58TEST(SafeSPrintfTest, NoArguments) { 59 // Output a text message that doesn't require any substitutions. This 60 // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does 61 // always add a trailing NUL; it always deduplicates '%' characters). 62 static const char text[] = "hello world"; 63 char ref[20], buf[20]; 64 memset(ref, 'X', sizeof(char) * arraysize(buf)); 65 memcpy(buf, ref, sizeof(buf)); 66 67 // A negative buffer size should always result in an error. 68 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, text)); 69 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 70 71 // Zero buffer size should always result in an error. 72 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text)); 73 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 74 75 // A one-byte buffer should always print a single NUL byte. 76 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text)); 77 EXPECT_EQ(0, buf[0]); 78 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 79 memcpy(buf, ref, sizeof(buf)); 80 81 // A larger (but limited) buffer should always leave the trailing bytes 82 // unchanged. 83 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text)); 84 EXPECT_EQ(text[0], buf[0]); 85 EXPECT_EQ(0, buf[1]); 86 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 87 memcpy(buf, ref, sizeof(buf)); 88 89 // A unrestricted buffer length should always leave the trailing bytes 90 // unchanged. 91 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 92 SafeSNPrintf(buf, sizeof(buf), text)); 93 EXPECT_EQ(std::string(text), std::string(buf)); 94 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 95 sizeof(buf) - sizeof(text))); 96 memcpy(buf, ref, sizeof(buf)); 97 98 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 99 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text)); 100 EXPECT_EQ(std::string(text), std::string(buf)); 101 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 102 sizeof(buf) - sizeof(text))); 103 memcpy(buf, ref, sizeof(buf)); 104 105 // Check for deduplication of '%' percent characters. 106 EXPECT_EQ(1, SafeSPrintf(buf, "%%")); 107 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%")); 108 EXPECT_EQ(2, SafeSPrintf(buf, "%%X")); 109 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X")); 110#if defined(NDEBUG) 111 EXPECT_EQ(1, SafeSPrintf(buf, "%")); 112 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 113 EXPECT_EQ(2, SafeSPrintf(buf, "%X")); 114 EXPECT_EQ(3, SafeSPrintf(buf, "%%%X")); 115#elif defined(ALLOW_DEATH_TEST) 116 EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'"); 117 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 118 EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'"); 119 EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'"); 120#endif 121} 122 123TEST(SafeSPrintfTest, OneArgument) { 124 // Test basic single-argument single-character substitution. 125 const char text[] = "hello world"; 126 const char fmt[] = "hello%cworld"; 127 char ref[20], buf[20]; 128 memset(ref, 'X', sizeof(buf)); 129 memcpy(buf, ref, sizeof(buf)); 130 131 // A negative buffer size should always result in an error. 132 EXPECT_EQ(-1, SafeSNPrintf(buf, -1, fmt, ' ')); 133 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 134 135 // Zero buffer size should always result in an error. 136 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' ')); 137 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf))); 138 139 // A one-byte buffer should always print a single NUL byte. 140 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 141 SafeSNPrintf(buf, 1, fmt, ' ')); 142 EXPECT_EQ(0, buf[0]); 143 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1)); 144 memcpy(buf, ref, sizeof(buf)); 145 146 // A larger (but limited) buffer should always leave the trailing bytes 147 // unchanged. 148 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 149 SafeSNPrintf(buf, 2, fmt, ' ')); 150 EXPECT_EQ(text[0], buf[0]); 151 EXPECT_EQ(0, buf[1]); 152 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2)); 153 memcpy(buf, ref, sizeof(buf)); 154 155 // A unrestricted buffer length should always leave the trailing bytes 156 // unchanged. 157 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, 158 SafeSNPrintf(buf, sizeof(buf), fmt, ' ')); 159 EXPECT_EQ(std::string(text), std::string(buf)); 160 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 161 sizeof(buf) - sizeof(text))); 162 memcpy(buf, ref, sizeof(buf)); 163 164 // The same test using SafeSPrintf() instead of SafeSNPrintf(). 165 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' ')); 166 EXPECT_EQ(std::string(text), std::string(buf)); 167 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text), 168 sizeof(buf) - sizeof(text))); 169 memcpy(buf, ref, sizeof(buf)); 170 171 // Check for deduplication of '%' percent characters. 172 EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0)); 173 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0)); 174 EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0)); 175 EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0)); 176 EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0)); 177 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0)); 178#if defined(NDEBUG) 179 EXPECT_EQ(1, SafeSPrintf(buf, "%", 0)); 180 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 181#elif defined(ALLOW_DEATH_TEST) 182 EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch"); 183 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 184#endif 185} 186 187TEST(SafeSPrintfTest, MissingArg) { 188#if defined(NDEBUG) 189 char buf[20]; 190 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A')); 191 EXPECT_EQ("A%c", std::string(buf)); 192#elif defined(ALLOW_DEATH_TEST) 193 char buf[20]; 194 EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args"); 195#endif 196} 197 198TEST(SafeSPrintfTest, ASANFriendlyBufferTest) { 199 // Print into a buffer that is sized exactly to size. ASAN can verify that 200 // nobody attempts to write past the end of the buffer. 201 // There is a more complicated test in PrintLongString() that covers a lot 202 // more edge case, but it is also harder to debug in case of a failure. 203 const char kTestString[] = "This is a test"; 204 scoped_ptr<char[]> buf(new char[sizeof(kTestString)]); 205 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 206 SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString)); 207 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 208 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1), 209 SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString)); 210 EXPECT_EQ(std::string(kTestString), std::string(buf.get())); 211} 212 213TEST(SafeSPrintfTest, NArgs) { 214 // Pre-C++11 compilers have a different code path, that can only print 215 // up to ten distinct arguments. 216 // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't 217 // have typos in the copy-n-pasted code that is needed to deal with various 218 // numbers of arguments. 219 char buf[12]; 220 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1)); 221 EXPECT_EQ("\1", std::string(buf)); 222 EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2)); 223 EXPECT_EQ("\1\2", std::string(buf)); 224 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3)); 225 EXPECT_EQ("\1\2\3", std::string(buf)); 226 EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4)); 227 EXPECT_EQ("\1\2\3\4", std::string(buf)); 228 EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 229 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 230 EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 231 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 232 EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 233 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 234 EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8)); 235 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 236 EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c", 237 1, 2, 3, 4, 5, 6, 7, 8, 9)); 238 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 239 EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c", 240 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 241 242 // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf(). 243 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 244 EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1)); 245 EXPECT_EQ("\1", std::string(buf)); 246 EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2)); 247 EXPECT_EQ("\1\2", std::string(buf)); 248 EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3)); 249 EXPECT_EQ("\1\2\3", std::string(buf)); 250 EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4)); 251 EXPECT_EQ("\1\2\3\4", std::string(buf)); 252 EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5)); 253 EXPECT_EQ("\1\2\3\4\5", std::string(buf)); 254 EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6)); 255 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf)); 256 EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7)); 257 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf)); 258 EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c", 259 1, 2, 3, 4, 5, 6, 7, 8)); 260 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf)); 261 EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c", 262 1, 2, 3, 4, 5, 6, 7, 8, 9)); 263 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf)); 264 EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c", 265 1, 2, 3, 4, 5, 6, 7, 8, 9, 10)); 266 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf)); 267 268 269 // C++11 is smart enough to handle variadic template arguments. It can 270 // deal with arbitrary numbers of arguments. 271#if __cplusplus >= 201103 // C++11 272 EXPECT_EQ(11, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c%c", 273 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)); 274 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf)); 275 EXPECT_EQ(11, SafeSNPrintf(buf, 12, "%c%c%c%c%c%c%c%c%c%c%c", 276 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)); 277 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf)); 278#endif 279} 280 281TEST(SafeSPrintfTest, DataTypes) { 282 char buf[40]; 283 284 // Bytes 285 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1)); 286 EXPECT_EQ("1", std::string(buf)); 287 EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1)); 288 EXPECT_EQ("255", std::string(buf)); 289 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1)); 290 EXPECT_EQ("1", std::string(buf)); 291 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1)); 292 EXPECT_EQ("-1", std::string(buf)); 293 EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128)); 294 EXPECT_EQ("-128", std::string(buf)); 295 296 // Half-words 297 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1)); 298 EXPECT_EQ("1", std::string(buf)); 299 EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1)); 300 EXPECT_EQ("65535", std::string(buf)); 301 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1)); 302 EXPECT_EQ("1", std::string(buf)); 303 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1)); 304 EXPECT_EQ("-1", std::string(buf)); 305 EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768)); 306 EXPECT_EQ("-32768", std::string(buf)); 307 308 // Words 309 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1)); 310 EXPECT_EQ("1", std::string(buf)); 311 EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1)); 312 EXPECT_EQ("4294967295", std::string(buf)); 313 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1)); 314 EXPECT_EQ("1", std::string(buf)); 315 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1)); 316 EXPECT_EQ("-1", std::string(buf)); 317 // Work-around for an limitation of C90 318 EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1)); 319 EXPECT_EQ("-2147483648", std::string(buf)); 320 321 // Quads 322 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1)); 323 EXPECT_EQ("1", std::string(buf)); 324 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1)); 325 EXPECT_EQ("18446744073709551615", std::string(buf)); 326 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1)); 327 EXPECT_EQ("1", std::string(buf)); 328 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1)); 329 EXPECT_EQ("-1", std::string(buf)); 330 // Work-around for an limitation of C90 331 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1)); 332 EXPECT_EQ("-9223372036854775808", std::string(buf)); 333 334 // Strings (both const and mutable). 335 EXPECT_EQ(4, SafeSPrintf(buf, "test")); 336 EXPECT_EQ("test", std::string(buf)); 337 EXPECT_EQ(4, SafeSPrintf(buf, buf)); 338 EXPECT_EQ("test", std::string(buf)); 339 340 // Pointer 341 char addr[20]; 342 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 343 SafeSPrintf(buf, "%p", buf); 344 EXPECT_EQ(std::string(addr), std::string(buf)); 345 SafeSPrintf(buf, "%p", (const char *)buf); 346 EXPECT_EQ(std::string(addr), std::string(buf)); 347 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf); 348 SafeSPrintf(buf, "%p", sprintf); 349 EXPECT_EQ(std::string(addr), std::string(buf)); 350 351 // Padding for pointers is a little more complicated because of the "0x" 352 // prefix. Padding with '0' zeros is relatively straight-forward, but 353 // padding with ' ' spaces requires more effort. 354 sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf); 355 SafeSPrintf(buf, "%019p", buf); 356 EXPECT_EQ(std::string(addr), std::string(buf)); 357 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf); 358 memset(addr, ' ', 359 (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1, 360 addr, strlen(addr)+1) - addr); 361 SafeSPrintf(buf, "%19p", buf); 362 EXPECT_EQ(std::string(addr), std::string(buf)); 363} 364 365namespace { 366void PrintLongString(char* buf, size_t sz) { 367 // Output a reasonably complex expression into a limited-size buffer. 368 // At least one byte is available for writing the NUL character. 369 CHECK_GT(sz, static_cast<size_t>(0)); 370 371 // Allocate slightly more space, so that we can verify that SafeSPrintf() 372 // never writes past the end of the buffer. 373 scoped_ptr<char[]> tmp(new char[sz+2]); 374 memset(tmp.get(), 'X', sz+2); 375 376 // Use SafeSPrintf() to output a complex list of arguments: 377 // - test padding and truncating %c single characters. 378 // - test truncating %s simple strings. 379 // - test mismatching arguments and truncating (for %d != %s). 380 // - test zero-padding and truncating %x hexadecimal numbers. 381 // - test outputting and truncating %d MININT. 382 // - test outputting and truncating %p arbitrary pointer values. 383 // - test outputting, padding and truncating NULL-pointer %s strings. 384 char* out = tmp.get(); 385 size_t out_sz = sz; 386 size_t len; 387 for (scoped_ptr<char[]> perfect_buf;;) { 388 size_t needed = SafeSNPrintf(out, out_sz, 389#if defined(NDEBUG) 390 "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "", 391#else 392 "A%2cong %s: %%d %010X %d %p%7s", 'l', "string", 393#endif 394 0xDEADBEEF, std::numeric_limits<intptr_t>::min(), 395 PrintLongString, static_cast<char*>(NULL)) + 1; 396 397 // Various sanity checks: 398 // The numbered of characters needed to print the full string should always 399 // be bigger or equal to the bytes that have actually been output. 400 len = strlen(tmp.get()); 401 CHECK_GE(needed, len+1); 402 403 // The number of characters output should always fit into the buffer that 404 // was passed into SafeSPrintf(). 405 CHECK_LT(len, out_sz); 406 407 // The output is always terminated with a NUL byte (actually, this test is 408 // always going to pass, as strlen() already verified this) 409 EXPECT_FALSE(tmp[len]); 410 411 // ASAN can check that we are not overwriting buffers, iff we make sure the 412 // buffer is exactly the size that we are expecting to be written. After 413 // running SafeSNPrintf() the first time, it is possible to compute the 414 // correct buffer size for this test. So, allocate a second buffer and run 415 // the exact same SafeSNPrintf() command again. 416 if (!perfect_buf.get()) { 417 out_sz = std::min(needed, sz); 418 out = new char[out_sz]; 419 perfect_buf.reset(out); 420 } else { 421 break; 422 } 423 } 424 425 // All trailing bytes are unchanged. 426 for (size_t i = len+1; i < sz+2; ++i) 427 EXPECT_EQ('X', tmp[i]); 428 429 // The text that was generated by SafeSPrintf() should always match the 430 // equivalent text generated by sprintf(). Please note that the format 431 // string for sprintf() is nor complicated, as it does not have the 432 // benefit of getting type information from the C++ compiler. 433 // 434 // N.B.: It would be so much cleaner to use snprintf(). But unfortunately, 435 // Visual Studio doesn't support this function, and the work-arounds 436 // are all really awkward. 437 char ref[256]; 438 CHECK_LE(sz, sizeof(ref)); 439 sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>", 440 static_cast<long long>(std::numeric_limits<intptr_t>::min()), 441 (long long)PrintLongString); 442 ref[sz-1] = '\000'; 443 444#if defined(NDEBUG) 445 const size_t kSSizeMax = std::numeric_limits<ssize_t>::max(); 446#else 447 const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest(); 448#endif 449 450 // Compare the output from SafeSPrintf() to the one from sprintf(). 451 EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get())); 452 453 // We allocated a slightly larger buffer, so that we could perform some 454 // extra sanity checks. Now that the tests have all passed, we copy the 455 // data to the output buffer that the caller provided. 456 memcpy(buf, tmp.get(), len+1); 457} 458 459#if !defined(NDEBUG) 460class ScopedSafeSPrintfSSizeMaxSetter { 461 public: 462 ScopedSafeSPrintfSSizeMaxSetter(size_t sz) { 463 old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest(); 464 internal::SetSafeSPrintfSSizeMaxForTest(sz); 465 } 466 467 ~ScopedSafeSPrintfSSizeMaxSetter() { 468 internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_); 469 } 470 471 private: 472 size_t old_ssize_max_; 473 474 DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter); 475}; 476#endif 477 478} // anonymous namespace 479 480TEST(SafeSPrintfTest, Truncation) { 481 // We use PrintLongString() to print a complex long string and then 482 // truncate to all possible lengths. This ends up exercising a lot of 483 // different code paths in SafeSPrintf() and IToASCII(), as truncation can 484 // happen in a lot of different states. 485 char ref[256]; 486 PrintLongString(ref, sizeof(ref)); 487 for (size_t i = strlen(ref)+1; i; --i) { 488 char buf[sizeof(ref)]; 489 PrintLongString(buf, i); 490 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 491 } 492 493 // When compiling in debug mode, we have the ability to fake a small 494 // upper limit for the maximum value that can be stored in an ssize_t. 495 // SafeSPrintf() uses this upper limit to determine how many bytes it will 496 // write to the buffer, even if the caller claimed a bigger buffer size. 497 // Repeat the truncation test and verify that this other code path in 498 // SafeSPrintf() works correctly, too. 499#if !defined(NDEBUG) 500 for (size_t i = strlen(ref)+1; i > 1; --i) { 501 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i); 502 char buf[sizeof(ref)]; 503 PrintLongString(buf, sizeof(buf)); 504 EXPECT_EQ(std::string(ref, i - 1), std::string(buf)); 505 } 506 507 // kSSizeMax is also used to constrain the maximum amount of padding, before 508 // SafeSPrintf() detects an error in the format string. 509 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100); 510 char buf[256]; 511 EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' ')); 512 EXPECT_EQ(std::string(99, ' '), std::string(buf)); 513 *buf = '\000'; 514#if defined(ALLOW_DEATH_TEST) 515 EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding"); 516#endif 517 EXPECT_EQ(0, *buf); 518#endif 519} 520 521TEST(SafeSPrintfTest, Padding) { 522 char buf[40], fmt[40]; 523 524 // Chars %c 525 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A')); 526 EXPECT_EQ("A", std::string(buf)); 527 EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A')); 528 EXPECT_EQ(" A", std::string(buf)); 529 EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A')); 530 EXPECT_EQ(" A", std::string(buf)); 531 EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A')); 532 EXPECT_EQ("%-2c", std::string(buf)); 533 SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1); 534 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A')); 535 SafeSPrintf(fmt, "%%%dc", 536 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 537#if defined(NDEBUG) 538 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A')); 539 EXPECT_EQ("%c", std::string(buf)); 540#elif defined(ALLOW_DEATH_TEST) 541 EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding"); 542#endif 543 544 // Octal %o 545 EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1)); 546 EXPECT_EQ("1", std::string(buf)); 547 EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1)); 548 EXPECT_EQ(" 1", std::string(buf)); 549 EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1)); 550 EXPECT_EQ("01", std::string(buf)); 551 EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1)); 552 EXPECT_EQ(" 37777777777", std::string(buf)); 553 EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1)); 554 EXPECT_EQ("037777777777", std::string(buf)); 555 EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL)); 556 EXPECT_EQ(" 1777777777777777777777", std::string(buf)); 557 EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL)); 558 EXPECT_EQ("01777777777777777777777", std::string(buf)); 559 EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111)); 560 EXPECT_EQ("111", std::string(buf)); 561 EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1)); 562 EXPECT_EQ("%-2o", std::string(buf)); 563 SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1); 564 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 565 SafeSNPrintf(buf, 4, fmt, 1)); 566 EXPECT_EQ(" ", std::string(buf)); 567 SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1); 568 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 569 SafeSNPrintf(buf, 4, fmt, 1)); 570 EXPECT_EQ("000", std::string(buf)); 571 SafeSPrintf(fmt, "%%%do", 572 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 573#if defined(NDEBUG) 574 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 575 EXPECT_EQ("%o", std::string(buf)); 576#elif defined(ALLOW_DEATH_TEST) 577 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 578#endif 579 580 // Decimals %d 581 EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1)); 582 EXPECT_EQ("1", std::string(buf)); 583 EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1)); 584 EXPECT_EQ(" 1", std::string(buf)); 585 EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1)); 586 EXPECT_EQ("01", std::string(buf)); 587 EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1)); 588 EXPECT_EQ(" -1", std::string(buf)); 589 EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1)); 590 EXPECT_EQ("-01", std::string(buf)); 591 EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111)); 592 EXPECT_EQ("111", std::string(buf)); 593 EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111)); 594 EXPECT_EQ("-111", std::string(buf)); 595 EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1)); 596 EXPECT_EQ("%-2d", std::string(buf)); 597 SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1); 598 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 599 SafeSNPrintf(buf, 4, fmt, 1)); 600 EXPECT_EQ(" ", std::string(buf)); 601 SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1); 602 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 603 SafeSNPrintf(buf, 4, fmt, 1)); 604 EXPECT_EQ("000", std::string(buf)); 605 SafeSPrintf(fmt, "%%%dd", 606 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 607#if defined(NDEBUG) 608 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 609 EXPECT_EQ("%d", std::string(buf)); 610#elif defined(ALLOW_DEATH_TEST) 611 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 612#endif 613 614 // Hex %X 615 EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1)); 616 EXPECT_EQ("1", std::string(buf)); 617 EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1)); 618 EXPECT_EQ(" 1", std::string(buf)); 619 EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1)); 620 EXPECT_EQ("01", std::string(buf)); 621 EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1)); 622 EXPECT_EQ(" FFFFFFFF", std::string(buf)); 623 EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1)); 624 EXPECT_EQ("0FFFFFFFF", std::string(buf)); 625 EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL)); 626 EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf)); 627 EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL)); 628 EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf)); 629 EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111)); 630 EXPECT_EQ("111", std::string(buf)); 631 EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1)); 632 EXPECT_EQ("%-2X", std::string(buf)); 633 SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1); 634 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 635 SafeSNPrintf(buf, 4, fmt, 1)); 636 EXPECT_EQ(" ", std::string(buf)); 637 SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1); 638 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 639 SafeSNPrintf(buf, 4, fmt, 1)); 640 EXPECT_EQ("000", std::string(buf)); 641 SafeSPrintf(fmt, "%%%dX", 642 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 643#if defined(NDEBUG) 644 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 645 EXPECT_EQ("%X", std::string(buf)); 646#elif defined(ALLOW_DEATH_TEST) 647 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 648#endif 649 650 // Pointer %p 651 EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1)); 652 EXPECT_EQ("0x1", std::string(buf)); 653 EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1)); 654 EXPECT_EQ(" 0x1", std::string(buf)); 655 EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1)); 656 EXPECT_EQ("0x01", std::string(buf)); 657 EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111)); 658 EXPECT_EQ("0x111", std::string(buf)); 659 EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1)); 660 EXPECT_EQ("%-2p", std::string(buf)); 661 SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1); 662 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 663 SafeSNPrintf(buf, 4, fmt, (void*)1)); 664 EXPECT_EQ(" ", std::string(buf)); 665 SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1); 666 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 667 SafeSNPrintf(buf, 4, fmt, (void*)1)); 668 EXPECT_EQ("0x0", std::string(buf)); 669 SafeSPrintf(fmt, "%%%dp", 670 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 671#if defined(NDEBUG) 672 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1)); 673 EXPECT_EQ("%p", std::string(buf)); 674#elif defined(ALLOW_DEATH_TEST) 675 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding"); 676#endif 677 678 // String 679 EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A")); 680 EXPECT_EQ("A", std::string(buf)); 681 EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A")); 682 EXPECT_EQ(" A", std::string(buf)); 683 EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A")); 684 EXPECT_EQ(" A", std::string(buf)); 685 EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA")); 686 EXPECT_EQ("AAA", std::string(buf)); 687 EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A")); 688 EXPECT_EQ("%-2s", std::string(buf)); 689 SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1); 690 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 691 SafeSNPrintf(buf, 4, fmt, "A")); 692 EXPECT_EQ(" ", std::string(buf)); 693 SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1); 694 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, 695 SafeSNPrintf(buf, 4, fmt, "A")); 696 EXPECT_EQ(" ", std::string(buf)); 697 SafeSPrintf(fmt, "%%%ds", 698 static_cast<size_t>(std::numeric_limits<ssize_t>::max())); 699#if defined(NDEBUG) 700 EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A")); 701 EXPECT_EQ("%s", std::string(buf)); 702#elif defined(ALLOW_DEATH_TEST) 703 EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding"); 704#endif 705} 706 707TEST(SafeSPrintfTest, EmbeddedNul) { 708 char buf[] = { 'X', 'X', 'X', 'X' }; 709 EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0)); 710 EXPECT_EQ(' ', buf[0]); 711 EXPECT_EQ(' ', buf[1]); 712 EXPECT_EQ(0, buf[2]); 713 EXPECT_EQ('X', buf[3]); 714 715 // Check handling of a NUL format character. N.B. this takes two different 716 // code paths depending on whether we are actually passing arguments. If 717 // we don't have any arguments, we are running in the fast-path code, that 718 // looks (almost) like a strncpy(). 719#if defined(NDEBUG) 720 EXPECT_EQ(2, SafeSPrintf(buf, "%%%")); 721 EXPECT_EQ("%%", std::string(buf)); 722 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0)); 723 EXPECT_EQ("%%", std::string(buf)); 724#elif defined(ALLOW_DEATH_TEST) 725 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'"); 726 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch"); 727#endif 728} 729 730TEST(SafeSPrintfTest, EmitNULL) { 731 char buf[40]; 732#if defined(__GNUC__) 733#pragma GCC diagnostic push 734#pragma GCC diagnostic ignored "-Wconversion-null" 735#endif 736 EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL)); 737 EXPECT_EQ("0", std::string(buf)); 738 EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL)); 739 EXPECT_EQ("0x0", std::string(buf)); 740 EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL)); 741 EXPECT_EQ("<NULL>", std::string(buf)); 742#if defined(__GCC__) 743#pragma GCC diagnostic pop 744#endif 745} 746 747TEST(SafeSPrintfTest, PointerSize) { 748 // The internal data representation is a 64bit value, independent of the 749 // native word size. We want to perform sign-extension for signed integers, 750 // but we want to avoid doing so for pointer types. This could be a 751 // problem on systems, where pointers are only 32bit. This tests verifies 752 // that there is no such problem. 753 char *str = reinterpret_cast<char *>(0x80000000u); 754 void *ptr = str; 755 char buf[40]; 756 EXPECT_EQ(10, SafeSPrintf(buf, "%p", str)); 757 EXPECT_EQ("0x80000000", std::string(buf)); 758 EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr)); 759 EXPECT_EQ("0x80000000", std::string(buf)); 760} 761 762} // namespace strings 763} // namespace base 764