projects / musl / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
harden realloc/free to detect simple overflows
[musl] / src / stdio / vfwscanf.c
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <stdarg.h>
4 #include <ctype.h>
5 #include <wchar.h>
6 #include <wctype.h>
7 #include <limits.h>
8 #include <string.h>
9 #include <errno.h>
10 #include <math.h>
11 #include <float.h>
12
13 #include "stdio_impl.h"
14 #include "shgetc.h"
15 #include "intscan.h"
16 #include "floatscan.h"
17 #include "libc.h"
18
19 #define SIZE_hh -2
20 #define SIZE_h  -1
21 #define SIZE_def 0
22 #define SIZE_l   1
23 #define SIZE_L   2
24 #define SIZE_ll  3
25
26 static void store_int(void *dest, int size, unsigned long long i)
27 {
28         if (!dest) return;
29         switch (size) {
30         case SIZE_hh:
31                 *(char *)dest = i;
32                 break;
33         case SIZE_h:
34                 *(short *)dest = i;
35                 break;
36         case SIZE_def:
37                 *(int *)dest = i;
38                 break;
39         case SIZE_l:
40                 *(long *)dest = i;
41                 break;
42         case SIZE_ll:
43                 *(long long *)dest = i;
44                 break;
45         }
46 }
47
48 static void *arg_n(va_list ap, unsigned int n)
49 {
50         void *p;
51         unsigned int i;
52         va_list ap2;
53         va_copy(ap2, ap);
54         for (i=n; i>1; i--) va_arg(ap2, void *);
55         p = va_arg(ap2, void *);
56         va_end(ap2);
57         return p;
58 }
59
60 static int in_set(const wchar_t *set, int c)
61 {
62         int j;
63         const wchar_t *p = set;
64         if (*p == '-') {
65                 if (c=='-') return 1;
66                 p++;
67         } else if (*p == ']') {
68                 if (c==']') return 1;
69                 p++;
70         }
71         for (; *p && *p != ']'; p++) {
72                 if (*p=='-' && p[1] && p[1] != ']')
73                         for (j=p++[-1]; j<*p; j++)
74                                 if (c==j) return 1;
75                 if (c==*p) return 1;
76         }
77         return 0;
78 }
79
80 #if 1
81 #undef getwc
82 #define getwc(f) \
83         ((f)->rpos < (f)->rend && *(f)->rpos < 128 ? *(f)->rpos++ : (getwc)(f))
84
85 #undef ungetwc
86 #define ungetwc(c,f) \
87         ((f)->rend && (c)<128U ? *--(f)->rpos : ungetwc((c),(f)))
88 #endif
89
90 int vfwscanf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
91 {
92         int width;
93         int size;
94         int alloc;
95         const wchar_t *p;
96         int c, t;
97         char *s;
98         wchar_t *wcs;
99         void *dest=NULL;
100         int invert;
101         int matches=0;
102         off_t pos = 0, cnt;
103         static const char size_pfx[][3] = { "hh", "h", "", "l", "L", "ll" };
104         char tmp[3*sizeof(int)+10];
105         const wchar_t *set;
106         size_t i, k;
107
108         FLOCK(f);
109
110         for (p=fmt; *p; p++) {
111
112                 if (iswspace(*p)) {
113                         while (iswspace(p[1])) p++;
114                         while (iswspace((c=getwc(f)))) pos++;
115                         ungetwc(c, f);
116                         continue;
117                 }
118                 if (*p != '%' || p[1] == '%') {
119                         p += *p=='%';
120                         c = getwc(f);
121                         if (c!=*p) {
122                                 ungetwc(c, f);
123                                 if (c<0) goto input_fail;
124                                 goto match_fail;
125                         }
126                         pos++;
127                         continue;
128                 }
129
130                 p++;
131                 if (*p=='*') {
132                         dest = 0; p++;
133                 } else if (iswdigit(*p) && p[1]=='$') {
134                         dest = arg_n(ap, *p-'0'); p+=2;
135                 } else {
136                         dest = va_arg(ap, void *);
137                 }
138
139                 for (width=0; iswdigit(*p); p++) {
140                         width = 10*width + *p - '0';
141                 }
142
143                 if (*p=='m') {
144                         alloc = !!dest;
145                         p++;
146                 } else {
147                         alloc = 0;
148                 }
149
150                 size = SIZE_def;
151                 switch (*p++) {
152                 case 'h':
153                         if (*p == 'h') p++, size = SIZE_hh;
154                         else size = SIZE_h;
155                         break;
156                 case 'l':
157                         if (*p == 'l') p++, size = SIZE_ll;
158                         else size = SIZE_l;
159                         break;
160                 case 'j':
161                         size = SIZE_ll;
162                         break;
163                 case 'z':
164                 case 't':
165                         size = SIZE_l;
166                         break;
167                 case 'L':
168                         size = SIZE_L;
169                         break;
170                 case 'd': case 'i': case 'o': case 'u': case 'x':
171                 case 'a': case 'e': case 'f': case 'g':
172                 case 'A': case 'E': case 'F': case 'G': case 'X':
173                 case 's': case 'c': case '[':
174                 case 'S': case 'C':
175                 case 'p': case 'n':
176                         p--;
177                         break;
178                 default:
179                         goto fmt_fail;
180                 }
181
182                 t = *p;
183
184                 /* Transform S,C -> ls,lc */
185                 if ((t&0x2f)==3) {
186                         size = SIZE_l;
187                         t |= 32;
188                 }
189
190                 if (t != 'n') {
191                         if (t != '[' && (t|32) != 'c')
192                                 while (iswspace((c=getwc(f)))) pos++;
193                         else
194                                 c=getwc(f);
195                         if (c < 0) goto input_fail;
196                         ungetwc(c, f);
197                 }
198
199                 switch (t) {
200                 case 'n':
201                         store_int(dest, size, pos);
202                         /* do not increment match count, etc! */
203                         continue;
204
205                 case 's':
206                 case 'c':
207                 case '[':
208                         if (t == 'c') {
209                                 if (width<1) width = 1;
210                                 invert = 1;
211                                 set = L"";
212                         } else if (t == 's') {
213                                 invert = 1;
214                                 set = (const wchar_t[]){
215                                         ' ', '\t', '\n', '\r', 11, 12,  0x0085,
216                                         0x2000, 0x2001, 0x2002, 0x2003, 0x2004, 0x2005,
217                                         0x2006, 0x2008, 0x2009, 0x200a,
218                                         0x2028, 0x2029, 0x205f, 0x3000, 0 };
219                         } else {
220                                 if (*++p == '^') p++, invert = 1;
221                                 else invert = 0;
222                                 set = p;
223                                 if (*p==']') p++;
224                                 while (*p!=']') {
225                                         if (!*p) goto fmt_fail;
226                                         p++;
227                                 }
228                         }
229
230                         s = (size == SIZE_def) ? dest : 0;
231                         wcs = (size == SIZE_l) ? dest : 0;
232
233                         int gotmatch = 0;
234
235                         if (width < 1) width = -1;
236
237                         i = 0;
238                         if (alloc) {
239                                 k = t=='c' ? width+1U : 31;
240                                 if (size == SIZE_l) {
241                                         wcs = malloc(k*sizeof(wchar_t));
242                                         if (!wcs) goto alloc_fail;
243                                 } else {
244                                         s = malloc(k);
245                                         if (!s) goto alloc_fail;
246                                 }
247                         }
248                         while (width) {
249                                 if ((c=getwc(f))<0) break;
250                                 if (in_set(set, c) == invert)
251                                         break;
252                                 if (wcs) {
253                                         wcs[i++] = c;
254                                         if (alloc && i==k) {
255                                                 k += k+1;
256                                                 wchar_t *tmp = realloc(wcs, k*sizeof(wchar_t));
257                                                 if (!tmp) goto alloc_fail;
258                                                 wcs = tmp;
259                                         }
260                                 } else if (size != SIZE_l) {
261                                         int l = wctomb(s?s+i:tmp, c);
262                                         if (l<0) goto input_fail;
263                                         i += l;
264                                         if (alloc && i > k-4) {
265                                                 k += k+1;
266                                                 char *tmp = realloc(s, k);
267                                                 if (!tmp) goto alloc_fail;
268                                                 s = tmp;
269                                         }
270                                 }
271                                 pos++;
272                                 width-=(width>0);
273                                 gotmatch=1;
274                         }
275                         if (width) {
276                                 ungetwc(c, f);
277                                 if (t == 'c' || !gotmatch) goto match_fail;
278                         }
279
280                         if (alloc) {
281                                 if (size == SIZE_l) *(wchar_t **)dest = wcs;
282                                 else *(char **)dest = s;
283                         }
284                         if (t != 'c') {
285                                 if (wcs) wcs[i] = 0;
286                                 if (s) s[i] = 0;
287                         }
288                         break;
289
290                 case 'd': case 'i': case 'o': case 'u': case 'x':
291                 case 'a': case 'e': case 'f': case 'g':
292                 case 'A': case 'E': case 'F': case 'G': case 'X':
293                 case 'p':
294                         if (width < 1) width = 0;
295                         snprintf(tmp, sizeof tmp, "%.*s%.0d%s%c%%lln",
296                                 1+!dest, "%*", width, size_pfx[size+2], t);
297                         cnt = 0;
298                         if (fscanf(f, tmp, dest?dest:&cnt, &cnt) == -1)
299                                 goto input_fail;
300                         else if (!cnt)
301                                 goto match_fail;
302                         pos += cnt;
303                         break;
304                 default:
305                         goto fmt_fail;
306                 }
307
308                 if (dest) matches++;
309         }
310         if (0) {
311 fmt_fail:
312 alloc_fail:
313 input_fail:
314                 if (!matches) matches--;
315 match_fail:
316                 if (alloc) {
317                         free(s);
318                         free(wcs);
319                 }
320         }
321         FUNLOCK(f);
322         return matches;
323 }
324
325 weak_alias(vfwscanf,__isoc99_vfwscanf);
musl