Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / ec6850d849746ffbafaaf9b993c5dbb74a014b3f / . / libc / include / bits / fortify / stdio.h
blob: 22dc2174ff69309d0a80110b692b5897b5393fa7 [file] [log] [blame]
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]1/*
2 * Copyright (C) 2017 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#ifndef _STDIO_H_
30#error "Never include this file directly; instead, include <stdio.h>"
31#endif
32
33char* __fgets_chk(char*, int, FILE*, size_t) __INTRODUCED_IN(17);
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]34size_t __fread_chk(void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
35size_t __fwrite_chk(const void*, size_t, size_t, FILE*, size_t) __INTRODUCED_IN(24);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]36
37#if defined(__BIONIC_FORTIFY) && !defined(__BIONIC_NO_STDIO_FORTIFY)
38
39#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
40__BIONIC_FORTIFY_INLINE __printflike(3, 0)
41int vsnprintf(char *const __pass_object_size dest, size_t size,
42 const char *_Nonnull format, __va_list ap) __overloadable {
43 return __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, ap);
44}
45
46__BIONIC_FORTIFY_INLINE __printflike(2, 0)
47int vsprintf(char *const __pass_object_size dest, const char *_Nonnull format,
48 __va_list ap) __overloadable {
49 return __builtin___vsprintf_chk(dest, 0, __bos(dest), format, ap);
50}
51#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
52
53#if defined(__clang__)
54#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
55/*
56 * Simple case: `format` can't have format specifiers, so we can just compare
57 * its length to the length of `dest`
58 */
59__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]60int snprintf(char* dest, size_t size, const char* format)
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]61 __overloadable
62 __enable_if(__bos(dest) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
63 __bos(dest) < __builtin_strlen(format),
64 "format string will always overflow destination buffer")
65 __errorattr("format string will always overflow destination buffer");
66
67__BIONIC_FORTIFY_INLINE
68__printflike(3, 4)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]69int snprintf(char* const __pass_object_size dest,
70 size_t size, const char* format, ...) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]71 va_list va;
72 va_start(va, format);
73 int result = __builtin___vsnprintf_chk(dest, size, 0, __bos(dest), format, va);
74 va_end(va);
75 return result;
76}
77
78__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]79int sprintf(char* dest, const char* format) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]80 __enable_if(__bos(dest) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
81 __bos(dest) < __builtin_strlen(format),
82 "format string will always overflow destination buffer")
83 __errorattr("format string will always overflow destination buffer");
84
85__BIONIC_FORTIFY_INLINE
86__printflike(2, 3)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]87int sprintf(char* const __pass_object_size dest, const char* format, ...) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]88 va_list va;
89 va_start(va, format);
90 int result = __builtin___vsprintf_chk(dest, 0, __bos(dest), format, va);
91 va_end(va);
92 return result;
93}
94#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
95
96#if __ANDROID_API__ >= __ANDROID_API_N__
97__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]98size_t fread(void* buf, size_t size, size_t count,
99 FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]100 __enable_if(__unsafe_check_mul_overflow(size, count), "size * count overflows")
101 __errorattr("size * count overflows");
102
103__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]104size_t fread(void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]105 __enable_if(!__unsafe_check_mul_overflow(size, count), "no overflow")
106 __enable_if(__bos(buf) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
107 size * count > __bos(buf), "size * count is too large")
108 __errorattr("size * count is too large");
109
110__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]111size_t fread(void* const __pass_object_size0 buf, size_t size,
112 size_t count, FILE* stream) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]113 size_t bos = __bos0(buf);
114
115 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
116 return __call_bypassing_fortify(fread)(buf, size, count, stream);
117 }
118
119 return __fread_chk(buf, size, count, stream, bos);
120}
121
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]122size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]123 __enable_if(__unsafe_check_mul_overflow(size, count),
124 "size * count overflows")
125 __errorattr("size * count overflows");
126
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]127size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]128 __enable_if(!__unsafe_check_mul_overflow(size, count), "no overflow")
129 __enable_if(__bos(buf) != __BIONIC_FORTIFY_UNKNOWN_SIZE &&
130 size * count > __bos(buf), "size * count is too large")
131 __errorattr("size * count is too large");
132
133__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]134size_t fwrite(const void* const __pass_object_size0 buf, size_t size, size_t count, FILE* stream)
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]135 __overloadable {
136 size_t bos = __bos0(buf);
137
138 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
139 return __call_bypassing_fortify(fwrite)(buf, size, count, stream);
140 }
141
142 return __fwrite_chk(buf, size, count, stream, bos);
143}
144#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
145
146#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
147__BIONIC_ERROR_FUNCTION_VISIBILITY
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]148char *fgets(char* dest, int size, FILE* stream) __overloadable
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]149 __enable_if(size < 0, "size is negative")
150 __errorattr("size is negative");
151
152__BIONIC_ERROR_FUNCTION_VISIBILITY
153char *fgets(char* dest, int size, FILE* stream) __overloadable
154 __enable_if(size >= 0 && size > __bos(dest),
155 "size is larger than the destination buffer")
156 __errorattr("size is larger than the destination buffer");
157
158__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]159char *fgets(char* const __pass_object_size dest, int size, FILE* stream) __overloadable {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]160 size_t bos = __bos(dest);
161
162 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
163 return __call_bypassing_fortify(fgets)(dest, size, stream);
164 }
165
166 return __fgets_chk(dest, size, stream, bos);
167}
168#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
169
170#else /* defined(__clang__) */
171
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]172size_t __fread_real(void*, size_t, size_t, FILE*) __RENAME(fread);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]173__errordecl(__fread_too_big_error, "fread called with size * count bigger than buffer");
174__errordecl(__fread_overflow, "fread called with overflowing size * count");
175
176char* __fgets_real(char*, int, FILE*) __RENAME(fgets);
177__errordecl(__fgets_too_big_error, "fgets called with size bigger than buffer");
178__errordecl(__fgets_too_small_error, "fgets called with size less than zero");
179
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]180size_t __fwrite_real(const void*, size_t, size_t, FILE*) __RENAME(fwrite);
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]181__errordecl(__fwrite_too_big_error, "fwrite called with size * count bigger than buffer");
182__errordecl(__fwrite_overflow, "fwrite called with overflowing size * count");
183
184
185#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
186__BIONIC_FORTIFY_INLINE __printflike(3, 4)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]187int snprintf(char* dest, size_t size, const char* _Nonnull format, ...) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]188 return __builtin___snprintf_chk(dest, size, 0, __bos(dest), format,
189 __builtin_va_arg_pack());
190}
191
192__BIONIC_FORTIFY_INLINE __printflike(2, 3)
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]193int sprintf(char* dest, const char* _Nonnull format, ...) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]194 return __builtin___sprintf_chk(dest, 0, __bos(dest), format,
195 __builtin_va_arg_pack());
196}
197#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
198
199#if __ANDROID_API__ >= __ANDROID_API_N__
200__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]201size_t fread(void* buf, size_t size, size_t count, FILE* stream) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]202 size_t bos = __bos0(buf);
203
204 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
205 return __fread_real(buf, size, count, stream);
206 }
207
208 if (__builtin_constant_p(size) && __builtin_constant_p(count)) {
209 size_t total;
210 if (__size_mul_overflow(size, count, &total)) {
211 __fread_overflow();
212 }
213
214 if (total > bos) {
215 __fread_too_big_error();
216 }
217
218 return __fread_real(buf, size, count, stream);
219 }
220
221 return __fread_chk(buf, size, count, stream, bos);
222}
223
224__BIONIC_FORTIFY_INLINE
Elliott Hughesec6850d2017-08-01 08:28:46 -0700[diff] [blame^]225size_t fwrite(const void* buf, size_t size, size_t count, FILE* stream) {
George Burgess IVb97049c2017-07-24 15:05:05 -0700[diff] [blame]226 size_t bos = __bos0(buf);
227
228 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
229 return __fwrite_real(buf, size, count, stream);
230 }
231
232 if (__builtin_constant_p(size) && __builtin_constant_p(count)) {
233 size_t total;
234 if (__size_mul_overflow(size, count, &total)) {
235 __fwrite_overflow();
236 }
237
238 if (total > bos) {
239 __fwrite_too_big_error();
240 }
241
242 return __fwrite_real(buf, size, count, stream);
243 }
244
245 return __fwrite_chk(buf, size, count, stream, bos);
246}
247#endif /* __ANDROID_API__ >= __ANDROID_API_N__ */
248
249#if __ANDROID_API__ >= __ANDROID_API_J_MR1__
250__BIONIC_FORTIFY_INLINE
251char *fgets(char* dest, int size, FILE* stream) {
252 size_t bos = __bos(dest);
253
254 // Compiler can prove, at compile time, that the passed in size
255 // is always negative. Force a compiler error.
256 if (__builtin_constant_p(size) && (size < 0)) {
257 __fgets_too_small_error();
258 }
259
260 // Compiler doesn't know destination size. Don't call __fgets_chk
261 if (bos == __BIONIC_FORTIFY_UNKNOWN_SIZE) {
262 return __fgets_real(dest, size, stream);
263 }
264
265 // Compiler can prove, at compile time, that the passed in size
266 // is always <= the actual object size. Don't call __fgets_chk
267 if (__builtin_constant_p(size) && (size <= (int) bos)) {
268 return __fgets_real(dest, size, stream);
269 }
270
271 // Compiler can prove, at compile time, that the passed in size
272 // is always > the actual object size. Force a compiler error.
273 if (__builtin_constant_p(size) && (size > (int) bos)) {
274 __fgets_too_big_error();
275 }
276
277 return __fgets_chk(dest, size, stream, bos);
278}
279#endif /* __ANDROID_API__ >= __ANDROID_API_J_MR1__ */
280
281#endif /* defined(__clang__) */
282#endif /* defined(__BIONIC_FORTIFY) */