Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / aa8f766bf0ead7d87ed1084880f42aa4b2d01fbb / . / libc / include / bits / fortify / stdio.h
blob: 4acefd73d61bf8bbe0efa22db07aac97a555fe7a [file] [log] [blame]
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#ifndef _STDIO_H_
30#error "Never include this file directly; instead, include <stdio.h>"
31#endif
32
33char* __fgets_chk(char*, int, FILE*, size_t) __INTRODUCED_IN(17);
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]34size_t __fread_chk(void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
35size_t __fwrite_chk(const void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]36
37#if defined(__BIONIC_FORTIFY) && !defined(__BIONIC_NO_STDIO_FORTIFY)
38
39#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
40__BIONIC_FORTIFY_INLINE __printflike(3, 0)
41int vsnprintf(char *const __pass_object_size dest, size_t size,
Elliott Hughes3f66e742017-08-01 13:24:40 -0700[diff] [blame]42 const char * format, va_list ap) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]43 return __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, ap);
44}
45
46__BIONIC_FORTIFY_INLINE __printflike(2, 0)
Elliott Hughes3f66e742017-08-01 13:24:40 -0700[diff] [blame]47int vsprintf(char *const __pass_object_size dest, const char* format, va_list ap) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]48 return __builtin___vsprintf_chk(dest, 0, __bos(dest), format, ap);
49}
50#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
51
52#if defined(__clang__)
53#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
54/*
55 * Simple case: `format` can't have format specifiers, so we can just compare
56 * its length to the length of `dest`
57 */
58__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]59int snprintf(char* dest, size_t size, const char* format)
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]60 __overloadable
61 __enable_if(__bos(dest) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
62 __bos(dest) < __builtin_strlen(format),
63 "format string will always overflow destination buffer")
64 __errorattr("format string will always overflow destination buffer");
65
66__BIONIC_FORTIFY_INLINE
67__printflike(3, 4)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]68int snprintf(char* const __pass_object_size dest,
69 size_t size, const char* format, ...) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]70 va_list va;
71 va_start(va, format);
72 int result = __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, va);
73 va_end(va);
74 return result;
75}
76
77__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]78int sprintf(char* dest, const char* format) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]79 __enable_if(__bos(dest) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
80 __bos(dest) < __builtin_strlen(format),
81 "format string will always overflow destination buffer")
82 __errorattr("format string will always overflow destination buffer");
83
84__BIONIC_FORTIFY_INLINE
85__printflike(2, 3)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]86int sprintf(char* const __pass_object_size dest, const char* format, ...) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]87 va_list va;
88 va_start(va, format);
89 int result = __builtin___vsprintf_chk(dest, 0, __bos(dest), format, va);
90 va_end(va);
91 return result;
92}
93#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
94
95#if __ANDROID_API__ >= __ANDROID_API_N__
96__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]97size_t fread(void* buf, size_t size, size_t count,
98 FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]99 __enable_if(__unsafe_check_mul_overflow(size, count), "size * count overflows")
100 __errorattr("size * count overflows");
101
102__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]103size_t fread(void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]104 __enable_if(!__unsafe_check_mul_overflow(size, count), "no overflow")
105 __enable_if(__bos(buf) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
106 size * count > __bos(buf), "size * count is too large")
107 __errorattr("size * count is too large");
108
109__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]110size_t fread(void* const __pass_object_size0 buf, size_t size,
111 size_t count, FILE* stream) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]112 size_t bos = __bos0(buf);
113
114 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
115 return __call_bypassing_fortify(fread)(buf, size, count, stream);
116 }
117
118 return __fread_chk(buf, size, count, stream, bos);
119}
120
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]121size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]122 __enable_if(__unsafe_check_mul_overflow(size, count),
123 "size * count overflows")
124 __errorattr("size * count overflows");
125
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]126size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]127 __enable_if(!__unsafe_check_mul_overflow(size, count), "no overflow")
128 __enable_if(__bos(buf) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
129 size * count > __bos(buf), "size * count is too large")
130 __errorattr("size * count is too large");
131
132__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]133size_t fwrite(const void* const __pass_object_size0 buf, size_t size, size_t count, FILE* stream)
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]134 __overloadable {
135 size_t bos = __bos0(buf);
136
137 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
138 return __call_bypassing_fortify(fwrite)(buf, size, count, stream);
139 }
140
141 return __fwrite_chk(buf, size, count, stream, bos);
142}
143#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
144
145#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
146__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]147char *fgets(char* dest, int size, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]148 __enable_if(size < 0, "size is negative")
149 __errorattr("size is negative");
150
151__BIONIC_ERROR_FUNCTION_VISIBILITY
152char *fgets(char* dest, int size, FILE* stream) __overloadable
153 __enable_if(size >= 0 && size > __bos(dest),
154 "size is larger than the destination buffer")
155 __errorattr("size is larger than the destination buffer");
156
157__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]158char *fgets(char* const __pass_object_size dest, int size, FILE* stream) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]159 size_t bos = __bos(dest);
160
161 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
162 return __call_bypassing_fortify(fgets)(dest, size, stream);
163 }
164
165 return __fgets_chk(dest, size, stream, bos);
166}
167#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
168
169#else /* defined(__clang__) */
170
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]171size_t __fread_real(void*, size_t, size_t, FILE*) __RENAME(fread);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]172__errordecl(__fread_too_big_error, "fread called with size * count bigger than buffer");
173__errordecl(__fread_overflow, "fread called with overflowing size * count");
174
175char* __fgets_real(char*, int, FILE*) __RENAME(fgets);
176__errordecl(__fgets_too_big_error, "fgets called with size bigger than buffer");
177__errordecl(__fgets_too_small_error, "fgets called with size less than zero");
178
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]179size_t __fwrite_real(const void*, size_t, size_t, FILE*) __RENAME(fwrite);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]180__errordecl(__fwrite_too_big_error, "fwrite called with size * count bigger than buffer");
181__errordecl(__fwrite_overflow, "fwrite called with overflowing size * count");
182
183
184#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
185__BIONIC_FORTIFY_INLINE __printflike(3, 4)
Elliott Hughes3f66e742017-08-01 13:24:40 -0700[diff] [blame]186int snprintf(char* dest, size_t size, const char* format, ...) {
187 return __builtin___snprintf_chk(dest, size, 0, __bos(dest), format, __builtin_va_arg_pack());
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]188}
189
190__BIONIC_FORTIFY_INLINE __printflike(2, 3)
Elliott Hughes3f66e742017-08-01 13:24:40 -0700[diff] [blame]191int sprintf(char* dest, const char* format, ...) {
192 return __builtin___sprintf_chk(dest, 0, __bos(dest), format, __builtin_va_arg_pack());
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]193}
194#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
195
196#if __ANDROID_API__ >= __ANDROID_API_N__
197__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]198size_t fread(void* buf, size_t size, size_t count, FILE* stream) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]199 size_t bos = __bos0(buf);
200
201 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
202 return __fread_real(buf, size, count, stream);
203 }
204
205 if (__builtin_constant_p(size) && __builtin_constant_p(count)) {
206 size_t total;
207 if (__size_mul_overflow(size, count, &total)) {
208 __fread_overflow();
209 }
210
211 if (total > bos) {
212 __fread_too_big_error();
213 }
214
215 return __fread_real(buf, size, count, stream);
216 }
217
218 return __fread_chk(buf, size, count, stream, bos);
219}
220
221__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]222size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]223 size_t bos = __bos0(buf);
224
225 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
226 return __fwrite_real(buf, size, count, stream);
227 }
228
229 if (__builtin_constant_p(size) && __builtin_constant_p(count)) {
230 size_t total;
231 if (__size_mul_overflow(size, count, &total)) {
232 __fwrite_overflow();
233 }
234
235 if (total > bos) {
236 __fwrite_too_big_error();
237 }
238
239 return __fwrite_real(buf, size, count, stream);
240 }
241
242 return __fwrite_chk(buf, size, count, stream, bos);
243}
244#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
245
246#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
247__BIONIC_FORTIFY_INLINE
248char *fgets(char* dest, int size, FILE* stream) {
249 size_t bos = __bos(dest);
250
251 // Compiler can prove, at compile time, that the passed in size
252 // is always negative. Force a compiler error.
253 if (__builtin_constant_p(size) && (size < 0)) {
254 __fgets_too_small_error();
255 }
256
257 // Compiler doesn't know destination size. Don't call __fgets_chk
258 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
259 return __fgets_real(dest, size, stream);
260 }
261
262 // Compiler can prove, at compile time, that the passed in size
263 // is always <= the actual object size. Don't call __fgets_chk
264 if (__builtin_constant_p(size) && (size <= (int) bos)) {
265 return __fgets_real(dest, size, stream);
266 }
267
268 // Compiler can prove, at compile time, that the passed in size
269 // is always > the actual object size. Force a compiler error.
270 if (__builtin_constant_p(size) && (size > (int) bos)) {
271 __fgets_too_big_error();
272 }
273
274 return __fgets_chk(dest, size, stream, bos);
275}
276#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
277
278#endif /* defined(__clang__) */
279#endif /* defined(__BIONIC_FORTIFY) */