Add stpcpy/stpncpy.
Add tests for the above.
Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.
Modify the strncpy test to cover more cases and use this template for
stpncpy.
Add all of the fortify test cases.
Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp
index 67e197e..d80b2f7 100644
--- a/tests/fortify_test.cpp
+++ b/tests/fortify_test.cpp
@@ -43,6 +43,31 @@
#ifndef __clang__
// This test is disabled in clang because clang doesn't properly detect
// this buffer overflow. TODO: Fix clang.
+TEST(DEATHTEST, stpncpy_fortified2) {
+ ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+ foo myfoo;
+ int copy_amt = atoi("11");
+ ASSERT_EXIT(stpncpy(myfoo.a, "01234567890", copy_amt),
+ testing::KilledBySignal(SIGABRT), "");
+}
+#endif
+
+#ifndef __clang__
+// This test is disabled in clang because clang doesn't properly detect
+// this buffer overflow. TODO: Fix clang.
+TEST(DEATHTEST, stpncpy2_fortified2) {
+ ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+ foo myfoo;
+ memset(&myfoo, 0, sizeof(myfoo));
+ myfoo.one[0] = 'A'; // not null terminated string
+ ASSERT_EXIT(stpncpy(myfoo.b, myfoo.one, sizeof(myfoo.b)),
+ testing::KilledBySignal(SIGABRT), "");
+}
+#endif
+
+#ifndef __clang__
+// This test is disabled in clang because clang doesn't properly detect
+// this buffer overflow. TODO: Fix clang.
TEST(DEATHTEST, strncpy_fortified2) {
::testing::FLAGS_gtest_death_test_style = "threadsafe";
foo myfoo;
@@ -144,6 +169,24 @@
// zero sized target with "\0" source (should fail)
// This test is disabled in clang because clang doesn't properly detect
// this buffer overflow. TODO: Fix clang.
+TEST(DEATHTEST, stpcpy_fortified2) {
+#if defined(__BIONIC__)
+ ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+ foo myfoo;
+ char* src = strdup("");
+ ASSERT_EXIT(stpcpy(myfoo.empty, src),
+ testing::KilledBySignal(SIGABRT), "");
+ free(src);
+#else // __BIONIC__
+ GTEST_LOG_(INFO) << "This test does nothing.\n";
+#endif // __BIONIC__
+}
+#endif
+
+#ifndef __clang__
+// zero sized target with "\0" source (should fail)
+// This test is disabled in clang because clang doesn't properly detect
+// this buffer overflow. TODO: Fix clang.
TEST(DEATHTEST, strcpy_fortified2) {
#if defined(__BIONIC__)
::testing::FLAGS_gtest_death_test_style = "threadsafe";
@@ -559,6 +602,23 @@
ASSERT_EXIT(memcpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), "");
}
+TEST(DEATHTEST, stpncpy_fortified) {
+ ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+ char bufa[15];
+ char bufb[10];
+ strcpy(bufa, "01234567890123");
+ size_t n = strlen(bufa);
+ ASSERT_EXIT(stpncpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), "");
+}
+
+TEST(DEATHTEST, stpncpy2_fortified) {
+ ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+ char dest[11];
+ char src[10];
+ memcpy(src, "0123456789", sizeof(src)); // src is not null terminated
+ ASSERT_EXIT(stpncpy(dest, src, sizeof(dest)), testing::KilledBySignal(SIGABRT), "");
+}
+
TEST(DEATHTEST, strncpy_fortified) {
::testing::FLAGS_gtest_death_test_style = "threadsafe";
char bufa[15];
@@ -568,6 +628,7 @@
ASSERT_EXIT(strncpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), "");
}
+
TEST(DEATHTEST, strncpy2_fortified) {
::testing::FLAGS_gtest_death_test_style = "threadsafe";
char dest[11];
@@ -790,6 +851,45 @@
ASSERT_EQ('\0', buf[9]);
}
+TEST(TEST_NAME, stpncpy) {
+ char src[10];
+ char dst[10];
+ memcpy(src, "0123456789", sizeof(src)); // non null terminated string
+ stpncpy(dst, src, sizeof(dst));
+ ASSERT_EQ('0', dst[0]);
+ ASSERT_EQ('1', dst[1]);
+ ASSERT_EQ('2', dst[2]);
+ ASSERT_EQ('3', dst[3]);
+ ASSERT_EQ('4', dst[4]);
+ ASSERT_EQ('5', dst[5]);
+ ASSERT_EQ('6', dst[6]);
+ ASSERT_EQ('7', dst[7]);
+ ASSERT_EQ('8', dst[8]);
+ ASSERT_EQ('9', dst[9]);
+}
+
+TEST(TEST_NAME, stpncpy2) {
+ char src[10];
+ char dst[15];
+ memcpy(src, "012345678\0", sizeof(src));
+ stpncpy(dst, src, sizeof(dst));
+ ASSERT_EQ('0', dst[0]);
+ ASSERT_EQ('1', dst[1]);
+ ASSERT_EQ('2', dst[2]);
+ ASSERT_EQ('3', dst[3]);
+ ASSERT_EQ('4', dst[4]);
+ ASSERT_EQ('5', dst[5]);
+ ASSERT_EQ('6', dst[6]);
+ ASSERT_EQ('7', dst[7]);
+ ASSERT_EQ('8', dst[8]);
+ ASSERT_EQ('\0', dst[9]);
+ ASSERT_EQ('\0', dst[10]);
+ ASSERT_EQ('\0', dst[11]);
+ ASSERT_EQ('\0', dst[12]);
+ ASSERT_EQ('\0', dst[13]);
+ ASSERT_EQ('\0', dst[14]);
+}
+
TEST(TEST_NAME, strncpy) {
char src[10];
char dst[10];
@@ -848,22 +948,22 @@
ASSERT_EQ('\0', buf[9]);
}
+extern "C" char* __stpcpy_chk(char*, const char*, size_t);
+
+TEST(TEST_NAME, stpcpy_chk_max_int_size) {
+ char buf[10];
+ char* res = __stpcpy_chk(buf, "012345678", (size_t)-1);
+ ASSERT_EQ(buf + strlen("012345678"), res);
+ ASSERT_STREQ("012345678", buf);
+}
+
extern "C" char* __strcpy_chk(char*, const char*, size_t);
TEST(TEST_NAME, strcpy_chk_max_int_size) {
char buf[10];
char* res = __strcpy_chk(buf, "012345678", (size_t)-1);
ASSERT_EQ(buf, res);
- ASSERT_EQ('0', buf[0]);
- ASSERT_EQ('1', buf[1]);
- ASSERT_EQ('2', buf[2]);
- ASSERT_EQ('3', buf[3]);
- ASSERT_EQ('4', buf[4]);
- ASSERT_EQ('5', buf[5]);
- ASSERT_EQ('6', buf[6]);
- ASSERT_EQ('7', buf[7]);
- ASSERT_EQ('8', buf[8]);
- ASSERT_EQ('\0', buf[9]);
+ ASSERT_STREQ("012345678", buf);
}
extern "C" void* __memcpy_chk(void*, const void*, size_t, size_t);
diff --git a/tests/string_test.cpp b/tests/string_test.cpp
index c35976a..14b284e 100644
--- a/tests/string_test.cpp
+++ b/tests/string_test.cpp
@@ -222,7 +222,7 @@
TEST(string, strcpy2) {
char buf[1];
char* orig = strdup("");
- strcpy(buf, orig);
+ ASSERT_EQ(buf, strcpy(buf, orig));
ASSERT_EQ('\0', buf[0]);
free(orig);
}
@@ -232,13 +232,8 @@
char buf[10];
char* orig = strdup("12345");
memset(buf, 'A', sizeof(buf));
- strcpy(buf, orig);
- ASSERT_EQ('1', buf[0]);
- ASSERT_EQ('2', buf[1]);
- ASSERT_EQ('3', buf[2]);
- ASSERT_EQ('4', buf[3]);
- ASSERT_EQ('5', buf[4]);
- ASSERT_EQ('\0', buf[5]);
+ ASSERT_EQ(buf, strcpy(buf, orig));
+ ASSERT_STREQ("12345", buf);
ASSERT_EQ('A', buf[6]);
ASSERT_EQ('A', buf[7]);
ASSERT_EQ('A', buf[8]);
@@ -251,17 +246,41 @@
char buf[10];
char* orig = strdup("123456789");
memset(buf, 'A', sizeof(buf));
- strcpy(buf, orig);
- ASSERT_EQ('1', buf[0]);
- ASSERT_EQ('2', buf[1]);
- ASSERT_EQ('3', buf[2]);
- ASSERT_EQ('4', buf[3]);
- ASSERT_EQ('5', buf[4]);
- ASSERT_EQ('6', buf[5]);
- ASSERT_EQ('7', buf[6]);
- ASSERT_EQ('8', buf[7]);
- ASSERT_EQ('9', buf[8]);
- ASSERT_EQ('\0', buf[9]);
+ ASSERT_EQ(buf, strcpy(buf, orig));
+ ASSERT_STREQ("123456789", buf);
+ free(orig);
+}
+
+// one byte target with "\0" source
+TEST(string, stpcpy2) {
+ char buf[1];
+ char* orig = strdup("");
+ ASSERT_EQ(buf, stpcpy(buf, orig));
+ ASSERT_EQ('\0', buf[0]);
+ free(orig);
+}
+
+// multibyte target where we under fill target
+TEST(string, stpcpy3) {
+ char buf[10];
+ char* orig = strdup("12345");
+ memset(buf, 'A', sizeof(buf));
+ ASSERT_EQ(buf+strlen(orig), stpcpy(buf, orig));
+ ASSERT_STREQ("12345", buf);
+ ASSERT_EQ('A', buf[6]);
+ ASSERT_EQ('A', buf[7]);
+ ASSERT_EQ('A', buf[8]);
+ ASSERT_EQ('A', buf[9]);
+ free(orig);
+}
+
+// multibyte target where we fill target exactly
+TEST(string, stpcpy4) {
+ char buf[10];
+ char* orig = strdup("123456789");
+ memset(buf, 'A', sizeof(buf));
+ ASSERT_EQ(buf+strlen(orig), stpcpy(buf, orig));
+ ASSERT_STREQ("123456789", buf);
free(orig);
}
@@ -272,13 +291,7 @@
buf[1] = '\0';
char* res = strcat(buf, "01234");
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('\0', buf[6]);
+ ASSERT_STREQ("a01234", buf);
ASSERT_EQ('A', buf[7]);
ASSERT_EQ('A', buf[8]);
ASSERT_EQ('A', buf[9]);
@@ -291,16 +304,7 @@
buf[1] = '\0';
char* res = strcat(buf, "01234567");
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('5', buf[6]);
- ASSERT_EQ('6', buf[7]);
- ASSERT_EQ('7', buf[8]);
- ASSERT_EQ('\0', buf[9]);
+ ASSERT_STREQ("a01234567", buf);
}
TEST(string, strncat2) {
@@ -310,13 +314,7 @@
buf[1] = '\0';
char* res = strncat(buf, "01234", sizeof(buf) - strlen(buf) - 1);
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('\0', buf[6]);
+ ASSERT_STREQ("a01234", buf);
ASSERT_EQ('A', buf[7]);
ASSERT_EQ('A', buf[8]);
ASSERT_EQ('A', buf[9]);
@@ -329,13 +327,7 @@
buf[1] = '\0';
char* res = strncat(buf, "0123456789", 5);
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('\0', buf[6]);
+ ASSERT_STREQ("a01234", buf);
ASSERT_EQ('A', buf[7]);
ASSERT_EQ('A', buf[8]);
ASSERT_EQ('A', buf[9]);
@@ -348,16 +340,7 @@
buf[1] = '\0';
char* res = strncat(buf, "01234567", 8);
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('5', buf[6]);
- ASSERT_EQ('6', buf[7]);
- ASSERT_EQ('7', buf[8]);
- ASSERT_EQ('\0', buf[9]);
+ ASSERT_STREQ("a01234567", buf);
}
TEST(string, strncat5) {
@@ -367,16 +350,7 @@
buf[1] = '\0';
char* res = strncat(buf, "01234567", 9);
ASSERT_EQ(buf, res);
- ASSERT_EQ('a', buf[0]);
- ASSERT_EQ('0', buf[1]);
- ASSERT_EQ('1', buf[2]);
- ASSERT_EQ('2', buf[3]);
- ASSERT_EQ('3', buf[4]);
- ASSERT_EQ('4', buf[5]);
- ASSERT_EQ('5', buf[6]);
- ASSERT_EQ('6', buf[7]);
- ASSERT_EQ('7', buf[8]);
- ASSERT_EQ('\0', buf[9]);
+ ASSERT_STREQ("a01234567", buf);
}
TEST(string, strchr_with_0) {
@@ -456,6 +430,32 @@
}
}
+TEST(string, stpcpy) {
+ StringTestState<char> state(SMALL);
+ for (size_t j = 0; j < POS_ITER; j++) {
+ state.NewIteration();
+
+ size_t pos = random() % state.MAX_LEN;
+
+ memset(state.ptr1, '\2', pos);
+ state.ptr1[pos] = '\0';
+ state.ptr1[state.MAX_LEN - 1] = '\0';
+
+ memcpy(state.ptr, state.ptr1, state.MAX_LEN);
+
+ memset(state.ptr2, '\1', state.MAX_LEN);
+ state.ptr2[state.MAX_LEN - 1] = '\0';
+
+ memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN);
+ memcpy(state.ptr + state.MAX_LEN, state.ptr1, pos + 1);
+ state.ptr[2 * state.MAX_LEN - 1] = '\0';
+
+ ASSERT_TRUE(stpcpy(state.ptr2, state.ptr1) == state.ptr2 + strlen(state.ptr1));
+ ASSERT_FALSE((memcmp(state.ptr1, state.ptr, state.MAX_LEN)) != 0 ||
+ (memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN) != 0));
+ }
+}
+
TEST(string, strcpy) {
StringTestState<char> state(SMALL);
for (size_t j = 0; j < POS_ITER; j++) {
@@ -482,7 +482,6 @@
}
}
-
TEST(string, strlcat) {
#if defined(__BIONIC__)
StringTestState<char> state(SMALL);
@@ -614,30 +613,81 @@
}
}
+TEST(string, stpncpy) {
+ StringTestState<char> state(SMALL);
+ for (size_t j = 0; j < ITER; j++) {
+ state.NewIteration();
+
+ // Choose a random value to fill the string, except \0 (string terminator),
+ // or \1 (guarantees it's different from anything in ptr2).
+ memset(state.ptr1, (random() % 254) + 2, state.MAX_LEN);
+ // Choose a random size for our src buffer.
+ size_t ptr1_len = random() % state.MAX_LEN;
+ state.ptr1[ptr1_len] = '\0';
+ // Copy ptr1 into ptr, used to verify that ptr1 does not get modified.
+ memcpy(state.ptr, state.ptr1, state.MAX_LEN);
+ // Init ptr2 to a set value.
+ memset(state.ptr2, '\1', state.MAX_LEN);
+
+ // Choose a random amount of data to copy.
+ size_t copy_len = random() % state.MAX_LEN;
+
+ // Set the second half of ptr to the expected pattern in ptr2.
+ memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN);
+ memcpy(state.ptr + state.MAX_LEN, state.ptr1, copy_len);
+ size_t expected_end;
+ if (copy_len > ptr1_len) {
+ memset(state.ptr + state.MAX_LEN + ptr1_len, '\0', copy_len - ptr1_len);
+ expected_end = ptr1_len;
+ } else {
+ expected_end = copy_len;
+ }
+
+ ASSERT_EQ(state.ptr2 + expected_end, stpncpy(state.ptr2, state.ptr1, copy_len));
+
+ // Verify ptr1 was not modified.
+ ASSERT_EQ(0, memcmp(state.ptr1, state.ptr, state.MAX_LEN));
+ // Verify ptr2 contains the expected data.
+ ASSERT_EQ(0, memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN));
+ }
+}
+
TEST(string, strncpy) {
StringTestState<char> state(SMALL);
for (size_t j = 0; j < ITER; j++) {
state.NewIteration();
- memset(state.ptr1, random() & 255, state.MAX_LEN);
- state.ptr1[random () % state.MAX_LEN] = '\0';
+ // Choose a random value to fill the string, except \0 (string terminator),
+ // or \1 (guarantees it's different from anything in ptr2).
+ memset(state.ptr1, (random() % 254) + 2, state.MAX_LEN);
+ // Choose a random size for our src buffer.
+ size_t ptr1_len = random() % state.MAX_LEN;
+ state.ptr1[ptr1_len] = '\0';
+ // Copy ptr1 into ptr, used to verify that ptr1 does not get modified.
memcpy(state.ptr, state.ptr1, state.MAX_LEN);
-
+ // Init ptr2 to a set value.
memset(state.ptr2, '\1', state.MAX_LEN);
- size_t pos;
- if (memchr(state.ptr1, 0, state.MAX_LEN)) {
- pos = strlen(state.ptr1);
+ // Choose a random amount of data to copy.
+ size_t copy_len = random() % state.MAX_LEN;
+
+ // Set the second half of ptr to the expected pattern in ptr2.
+ memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN);
+ memcpy(state.ptr + state.MAX_LEN, state.ptr1, copy_len);
+ size_t expected_end;
+ if (copy_len > ptr1_len) {
+ memset(state.ptr + state.MAX_LEN + ptr1_len, '\0', copy_len - ptr1_len);
+ expected_end = ptr1_len;
} else {
- pos = state.MAX_LEN - 1;
+ expected_end = copy_len;
}
- memset(state.ptr + state.MAX_LEN, '\0', state.MAX_LEN);
- memcpy(state.ptr + state.MAX_LEN, state.ptr1, pos + 1);
+ ASSERT_EQ(state.ptr2 + expected_end, stpncpy(state.ptr2, state.ptr1, copy_len));
- ASSERT_TRUE(strncpy(state.ptr2, state.ptr1, state.MAX_LEN) == state.ptr2);
- ASSERT_FALSE(memcmp(state.ptr1, state.ptr, state.MAX_LEN) != 0 ||
- memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN) != 0);
+ // Verify ptr1 was not modified.
+ ASSERT_EQ(0, memcmp(state.ptr1, state.ptr, state.MAX_LEN));
+ // Verify ptr2 contains the expected data.
+ ASSERT_EQ(0, memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN));
}
}
@@ -966,6 +1016,25 @@
RunSrcDstBufferOverreadTest(DoStrcpyTest);
}
+static void DoStpcpyTest(uint8_t* src, uint8_t* dst, size_t len) {
+ if (len >= 1) {
+ memset(src, (32 + (len % 96)), len - 1);
+ src[len-1] = '\0';
+ memset(dst, 0, len);
+ ASSERT_EQ(dst+len-1, reinterpret_cast<uint8_t*>(stpcpy(reinterpret_cast<char*>(dst),
+ reinterpret_cast<char*>(src))));
+ ASSERT_TRUE(memcmp(src, dst, len) == 0);
+ }
+}
+
+TEST(string, stpcpy_align) {
+ RunSrcDstBufferAlignTest(LARGE, DoStpcpyTest);
+}
+
+TEST(string, stpcpy_overread) {
+ RunSrcDstBufferOverreadTest(DoStpcpyTest);
+}
+
// Use our own incrementer to cut down on the total number of calls.
static size_t LargeSetIncrement(size_t len) {
if (len >= 4096) {