Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / a1a09b211ec2f931d119937ca574d4befe2e303f / . / libc / include / bits / fortify / stdio.h
blob: 6e47dafee8173f70ff520ca5defd617774da2634 [file] [log] [blame]
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#ifndef _STDIO_H_
30#error "Never include this file directly; instead, include <stdio.h>"
31#endif
32
33char* __fgets_chk(char*, int, FILE*, size_t) __INTRODUCED_IN(17);
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]34size_t __fread_chk(void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
35size_t __fwrite_chk(const void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]36
37#if defined(__BIONIC_FORTIFY) && !defined(__BIONIC_NO_STDIO_FORTIFY)
38
39#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
40__BIONIC_FORTIFY_INLINE __printflike(3, 0)
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]41int vsnprintf(char* const __pass_object_size dest, size_t size, const char* format, va_list ap)
42 __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]43 return __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, ap);
44}
45
46__BIONIC_FORTIFY_INLINE __printflike(2, 0)
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]47int vsprintf(char* const __pass_object_size dest, const char* format, va_list ap) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]48 return __builtin___vsprintf_chk(dest, 0, __bos(dest), format, ap);
49}
50#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
51
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]52#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
53/*
54 * Simple case: `format` can't have format specifiers, so we can just compare
55 * its length to the length of `dest`
56 */
57__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]58int snprintf(char* dest, size_t size, const char* format)
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]59 __overloadable
George Burgess IV5273dc52019-05-09 13:46:57 -0700[diff] [blame]60 __enable_if(__bos_unevaluated_lt(__bos(dest), __builtin_strlen(format)),
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]61 "format string will always overflow destination buffer")
62 __errorattr("format string will always overflow destination buffer");
63
Chih-Hung Hsiehf81abef2018-01-25 15:30:27 -0800[diff] [blame]64__BIONIC_FORTIFY_VARIADIC __printflike(3, 4)
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]65int snprintf(char* const __pass_object_size dest, size_t size, const char* format, ...)
66 __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]67 va_list va;
68 va_start(va, format);
69 int result = __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, va);
70 va_end(va);
71 return result;
72}
73
74__BIONIC_ERROR_FUNCTION_VISIBILITY
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]75int sprintf(char* dest, const char* format)
76 __overloadable
George Burgess IV5273dc52019-05-09 13:46:57 -0700[diff] [blame]77 __enable_if(__bos_unevaluated_lt(__bos(dest), __builtin_strlen(format)),
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]78 "format string will always overflow destination buffer")
79 __errorattr("format string will always overflow destination buffer");
80
Chih-Hung Hsiehf81abef2018-01-25 15:30:27 -0800[diff] [blame]81__BIONIC_FORTIFY_VARIADIC __printflike(2, 3)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]82int sprintf(char* const __pass_object_size dest, const char* format, ...) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]83 va_list va;
84 va_start(va, format);
85 int result = __builtin___vsprintf_chk(dest, 0, __bos(dest), format, va);
86 va_end(va);
87 return result;
88}
89#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
90
91#if __ANDROID_API__ >= __ANDROID_API_N__
George Burgess IVa1a09b22019-05-13 17:16:20 -0700[diff] [blame^]92#define __bos_trivially_not_lt_mul(bos_val, size, count) \
93 __bos_dynamic_check_impl_and(bos_val, >=, (size) * (count), \
94 !__unsafe_check_mul_overflow(size, count))
95
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]96__BIONIC_FORTIFY_INLINE
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]97size_t fread(void* const __pass_object_size0 buf, size_t size, size_t count, FILE* stream)
98 __overloadable
99 __clang_error_if(__unsafe_check_mul_overflow(size, count),
100 "in call to 'fread', size * count overflows")
George Burgess IV5273dc52019-05-09 13:46:57 -0700[diff] [blame]101 __clang_error_if(__bos_unevaluated_lt(__bos0(buf), size * count),
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]102 "in call to 'fread', size * count is too large for the given buffer") {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]103 size_t bos = __bos0(buf);
104
George Burgess IVa1a09b22019-05-13 17:16:20 -0700[diff] [blame^]105 if (__bos_trivially_not_lt_mul(bos, size, count)) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]106 return __call_bypassing_fortify(fread)(buf, size, count, stream);
107 }
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]108 return __fread_chk(buf, size, count, stream, bos);
109}
110
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]111__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame]112size_t fwrite(const void* const __pass_object_size0 buf, size_t size, size_t count, FILE* stream)
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]113 __overloadable
114 __clang_error_if(__unsafe_check_mul_overflow(size, count),
115 "in call to 'fwrite', size * count overflows")
George Burgess IV5273dc52019-05-09 13:46:57 -0700[diff] [blame]116 __clang_error_if(__bos_unevaluated_lt(__bos0(buf), size * count),
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]117 "in call to 'fwrite', size * count is too large for the given buffer") {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]118 size_t bos = __bos0(buf);
119
George Burgess IVa1a09b22019-05-13 17:16:20 -0700[diff] [blame^]120 if (__bos_trivially_not_lt_mul(bos, size, count)) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]121 return __call_bypassing_fortify(fwrite)(buf, size, count, stream);
122 }
123
124 return __fwrite_chk(buf, size, count, stream, bos);
125}
George Burgess IVa1a09b22019-05-13 17:16:20 -0700[diff] [blame^]126#undef __bos_trivially_not_lt_mul
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]127#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
128
129#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]130__BIONIC_FORTIFY_INLINE
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]131char* fgets(char* const __pass_object_size dest, int size, FILE* stream)
132 __overloadable
133 __clang_error_if(size < 0, "in call to 'fgets', size should not be negative")
George Burgess IV5273dc52019-05-09 13:46:57 -0700[diff] [blame]134 __clang_error_if(__bos_unevaluated_lt(__bos(dest), size),
George Burgess IV23dbf822017-07-31 21:23:34 -0700[diff] [blame]135 "in call to 'fgets', size is larger than the destination buffer") {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]136 size_t bos = __bos(dest);
137
George Burgess IVa1a09b22019-05-13 17:16:20 -0700[diff] [blame^]138 if (__bos_dynamic_check_impl_and(bos, >=, (size_t)size, size >= 0)) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]139 return __call_bypassing_fortify(fgets)(dest, size, stream);
140 }
141
142 return __fgets_chk(dest, size, stream, bos);
143}
144#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
145
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]146#endif /* defined(__BIONIC_FORTIFY) */