From 1193050109dee6be85c82bd29a1c817532dde912 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 13:16:13 +0200 Subject: Use custom type bufsize_t for string buffer sizes This makes it easier to change the type later. No functional change. The rest of the code base still has to be adjusted to use the new type. Also add some TODO comments in buffer.c. --- src/buffer.h | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index 417df26..99e6feb 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -3,20 +3,24 @@ #include #include +#include #include "config.h" #ifdef __cplusplus extern "C" { #endif +typedef int bufsize_t; + typedef struct { unsigned char *ptr; - int asize, size; + bufsize_t asize, size; } cmark_strbuf; extern unsigned char cmark_strbuf__initbuf[]; #define GH_BUF_INIT { cmark_strbuf__initbuf, 0, 0 } +#define BUFSIZE_MAX INT_MAX /** * Initialize a cmark_strbuf structure. @@ -24,12 +28,12 @@ extern unsigned char cmark_strbuf__initbuf[]; * For the cases where GH_BUF_INIT cannot be used to do static * initialization. */ -void cmark_strbuf_init(cmark_strbuf *buf, int initial_size); +void cmark_strbuf_init(cmark_strbuf *buf, bufsize_t initial_size); /** * Grow the buffer to hold at least `target_size` bytes. */ -void cmark_strbuf_grow(cmark_strbuf *buf, int target_size); +void cmark_strbuf_grow(cmark_strbuf *buf, bufsize_t target_size); void cmark_strbuf_free(cmark_strbuf *buf); void cmark_strbuf_swap(cmark_strbuf *buf_a, cmark_strbuf *buf_b); @@ -38,9 +42,9 @@ size_t cmark_strbuf_len(const cmark_strbuf *buf); int cmark_strbuf_cmp(const cmark_strbuf *a, const cmark_strbuf *b); -void cmark_strbuf_attach(cmark_strbuf *buf, unsigned char *ptr, int asize); +void cmark_strbuf_attach(cmark_strbuf *buf, unsigned char *ptr, bufsize_t asize); unsigned char *cmark_strbuf_detach(cmark_strbuf *buf); -void cmark_strbuf_copy_cstr(char *data, int datasize, const cmark_strbuf *buf); +void cmark_strbuf_copy_cstr(char *data, bufsize_t datasize, const cmark_strbuf *buf); static inline const char *cmark_strbuf_cstr(const cmark_strbuf *buf) { @@ -49,20 +53,20 @@ static inline const char *cmark_strbuf_cstr(const cmark_strbuf *buf) #define cmark_strbuf_at(buf, n) ((buf)->ptr[n]) -void cmark_strbuf_set(cmark_strbuf *buf, const unsigned char *data, int len); +void cmark_strbuf_set(cmark_strbuf *buf, const unsigned char *data, bufsize_t len); void cmark_strbuf_sets(cmark_strbuf *buf, const char *string); void cmark_strbuf_putc(cmark_strbuf *buf, int c); -void cmark_strbuf_put(cmark_strbuf *buf, const unsigned char *data, int len); +void cmark_strbuf_put(cmark_strbuf *buf, const unsigned char *data, bufsize_t len); void cmark_strbuf_puts(cmark_strbuf *buf, const char *string); void cmark_strbuf_printf(cmark_strbuf *buf, const char *format, ...) CMARK_ATTRIBUTE((format (printf, 2, 3))); void cmark_strbuf_vprintf(cmark_strbuf *buf, const char *format, va_list ap); void cmark_strbuf_clear(cmark_strbuf *buf); -int cmark_strbuf_strchr(const cmark_strbuf *buf, int c, int pos); -int cmark_strbuf_strrchr(const cmark_strbuf *buf, int c, int pos); -void cmark_strbuf_drop(cmark_strbuf *buf, int n); -void cmark_strbuf_truncate(cmark_strbuf *buf, int len); +bufsize_t cmark_strbuf_strchr(const cmark_strbuf *buf, int c, bufsize_t pos); +bufsize_t cmark_strbuf_strrchr(const cmark_strbuf *buf, int c, bufsize_t pos); +void cmark_strbuf_drop(cmark_strbuf *buf, bufsize_t n); +void cmark_strbuf_truncate(cmark_strbuf *buf, bufsize_t len); void cmark_strbuf_rtrim(cmark_strbuf *buf); void cmark_strbuf_trim(cmark_strbuf *buf); void cmark_strbuf_normalize_whitespace(cmark_strbuf *s); -- cgit v1.2.3 From a87b62a8eb42ee5bf6307f6c140bb400c860bcdd Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 14:01:09 +0200 Subject: Account for null terminator in cmark_strbuf_grow This simplifies overflow checks. --- src/buffer.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index 99e6feb..526276d 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -72,6 +72,9 @@ void cmark_strbuf_trim(cmark_strbuf *buf); void cmark_strbuf_normalize_whitespace(cmark_strbuf *s); void cmark_strbuf_unescape(cmark_strbuf *s); +/* Print error and abort. */ +void cmark_strbuf_overflow_err(void); + #ifdef __cplusplus } #endif -- cgit v1.2.3 From b0a0cabbee704740169c9e493d61fcf786251601 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 15:01:43 +0200 Subject: Remove unused function cmark_strbuf_attach This function was missing a couple of range checks that I'm too lazy to fix. --- src/buffer.h | 1 - 1 file changed, 1 deletion(-) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index 526276d..d125207 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -42,7 +42,6 @@ size_t cmark_strbuf_len(const cmark_strbuf *buf); int cmark_strbuf_cmp(const cmark_strbuf *a, const cmark_strbuf *b); -void cmark_strbuf_attach(cmark_strbuf *buf, unsigned char *ptr, bufsize_t asize); unsigned char *cmark_strbuf_detach(cmark_strbuf *buf); void cmark_strbuf_copy_cstr(char *data, bufsize_t datasize, const cmark_strbuf *buf); -- cgit v1.2.3 From d49d3fd7bab4a8734e5f22318e3fb538bfe20dbb Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 16:48:01 +0200 Subject: Change return type of cmark_strbuf_len --- src/buffer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index d125207..9c850e4 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -38,7 +38,7 @@ void cmark_strbuf_grow(cmark_strbuf *buf, bufsize_t target_size); void cmark_strbuf_free(cmark_strbuf *buf); void cmark_strbuf_swap(cmark_strbuf *buf_a, cmark_strbuf *buf_b); -size_t cmark_strbuf_len(const cmark_strbuf *buf); +bufsize_t cmark_strbuf_len(const cmark_strbuf *buf); int cmark_strbuf_cmp(const cmark_strbuf *a, const cmark_strbuf *b); -- cgit v1.2.3 From bef240d45b5eda3a584ca1a495f54cb17ff8895f Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 16:54:37 +0200 Subject: Check for overflow in S_parser_feed Guard against too large chunks passed via the API. --- src/buffer.h | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index 9c850e4..f9696e0 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -74,6 +74,14 @@ void cmark_strbuf_unescape(cmark_strbuf *s); /* Print error and abort. */ void cmark_strbuf_overflow_err(void); +static inline bufsize_t +cmark_strbuf_check_bufsize(size_t size) { + if (size > BUFSIZE_MAX) { + cmark_strbuf_overflow_err(); + } + return (bufsize_t)size; +} + #ifdef __cplusplus } #endif -- cgit v1.2.3 From 0641c5e4e9727ddde0d2be1aebe3fd7009d010f5 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 7 Jun 2015 17:44:11 +0200 Subject: Helper to safely call strlen --- src/buffer.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/buffer.h') diff --git a/src/buffer.h b/src/buffer.h index f9696e0..babd051 100644 --- a/src/buffer.h +++ b/src/buffer.h @@ -3,6 +3,7 @@ #include #include +#include #include #include "config.h" @@ -82,6 +83,11 @@ cmark_strbuf_check_bufsize(size_t size) { return (bufsize_t)size; } +static inline bufsize_t +cmark_strbuf_safe_strlen(const char *str) { + return cmark_strbuf_check_bufsize(strlen(str)); +} + #ifdef __cplusplus } #endif -- cgit v1.2.3