/* * Copyright Patrick Powell 1995 * * This code is based on code written by Patrick Powell * (papowell@astart.com) It may be used for any purpose as long * as this notice remains intact on all source code distributions. * * Adapted for Bacula -- note there were lots of bugs in * the original code: %lld and %s were seriously broken, and * with FP turned off %f seg faulted. * * Kern Sibbald, November MMV * * Version $Id: bsnprintf.c 5713 2007-10-03 11:36:47Z kerns $ */ /* Bacula® - The Network Backup Solution Copyright (C) 2005-2007 Free Software Foundation Europe e.V. The main author of Bacula is Kern Sibbald, with contributions from many others, a complete list can be found in the file AUTHORS. This program is Free Software; you can redistribute it and/or modify it under the terms of version two of the GNU General Public License as published by the Free Software Foundation and included in the file LICENSE. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Bacula® is a registered trademark of John Walker. The licensor of Bacula is the Free Software Foundation Europe (FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich, Switzerland, email:ftf@fsfeurope.org. */ #include "bacula.h" #define FP_OUTPUT 1 /* Bacula uses floating point */ /* Define the following if you want all the features of * normal printf, but with all the security problems. * For Bacula we turn this off, and it silently ignores * formats that could pose a security problem. */ #undef SECURITY_PROBLEM #ifdef USE_BSNPRINTF #ifdef HAVE_LONG_DOUBLE #define LDOUBLE long double #else #define LDOUBLE double #endif int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args); static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen, const char *value, int flags, int min, int max); static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen, int64_t value, int base, int min, int max, int flags); #ifdef FP_OUTPUT # ifdef HAVE_FCVTL # define fcvt fcvtl # endif static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen, LDOUBLE fvalue, int min, int max, int flags); #else #define fmtfp(b, c, m, f, min, max, fl) currlen #endif #define outch(c) {int len=currlen; if (currlen++ < maxlen) { buffer[len] = (c);}} /* format read states */ #define DP_S_DEFAULT 0 #define DP_S_FLAGS 1 #define DP_S_MIN 2 #define DP_S_DOT 3 #define DP_S_MAX 4 #define DP_S_MOD 5 #define DP_S_CONV 6 #define DP_S_DONE 7 /* format flags - Bits */ #define DP_F_MINUS (1 << 0) #define DP_F_PLUS (1 << 1) #define DP_F_SPACE (1 << 2) #define DP_F_NUM (1 << 3) #define DP_F_ZERO (1 << 4) #define DP_F_UP (1 << 5) #define DP_F_UNSIGNED (1 << 6) #define DP_F_DOT (1 << 7) /* Conversion Flags */ #define DP_C_INT16 1 #define DP_C_INT32 2 #define DP_C_LDOUBLE 3 #define DP_C_INT64 4 #define char_to_int(p) ((p)- '0') #undef MAX #define MAX(p,q) (((p) >= (q)) ? (p) : (q)) /* You might ask why does Bacula have it's own printf routine? Well, There are two reasons: 1. Here (as opposed to library routines), we define %d and %ld to be 32 bit; %lld and %q to be 64 bit. 2. We disable %n for security reasons. */ int bsnprintf(char *str, int32_t size, const char *fmt, ...) { va_list arg_ptr; int len; va_start(arg_ptr, fmt); len = bvsnprintf(str, size, fmt, arg_ptr); va_end(arg_ptr); return len; } int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args) { char ch; int64_t value; char *strvalue; int min; int max; int state; int flags; int cflags; int32_t currlen; int base; #ifdef FP_OUTPUT LDOUBLE fvalue; #endif state = DP_S_DEFAULT; currlen = flags = cflags = min = 0; max = -1; ch = *format++; *buffer = 0; while (state != DP_S_DONE) { if ((ch == '\0') || (currlen >= maxlen)) state = DP_S_DONE; switch (state) { case DP_S_DEFAULT: if (ch == '%') { state = DP_S_FLAGS; } else { outch(ch); } ch = *format++; break; case DP_S_FLAGS: switch (ch) { case '-': flags |= DP_F_MINUS; ch = *format++; break; case '+': flags |= DP_F_PLUS; ch = *format++; break; case ' ': flags |= DP_F_SPACE; ch = *format++; break; case '#': flags |= DP_F_NUM; ch = *format++; break; case '0': flags |= DP_F_ZERO; ch = *format++; break; default: state = DP_S_MIN; break; } break; case DP_S_MIN: if (isdigit((unsigned char)ch)) { min = 10 * min + char_to_int(ch); ch = *format++; } else if (ch == '*') { min = va_arg(args, int); ch = *format++; state = DP_S_DOT; } else state = DP_S_DOT; break; case DP_S_DOT: if (ch == '.') { state = DP_S_MAX; flags |= DP_F_DOT; ch = *format++; } else state = DP_S_MOD; break; case DP_S_MAX: if (isdigit((unsigned char)ch)) { if (max < 0) max = 0; max = 10 * max + char_to_int(ch); ch = *format++; } else if (ch == '*') { max = va_arg(args, int); ch = *format++; state = DP_S_MOD; } else state = DP_S_MOD; break; case DP_S_MOD: switch (ch) { case 'h': cflags = DP_C_INT16; ch = *format++; break; case 'l': cflags = DP_C_INT32; ch = *format++; if (ch == 'l') { /* It's a long long */ cflags = DP_C_INT64; ch = *format++; } break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; break; case 'q': /* same as long long */ cflags = DP_C_INT64; ch = *format++; break; default: break; } state = DP_S_CONV; break; case DP_S_CONV: switch (ch) { case 'd': case 'i': if (cflags == DP_C_INT16) { value = va_arg(args, int32_t); } else if (cflags == DP_C_INT32) { value = va_arg(args, int32_t); } else if (cflags == DP_C_INT64) { value = va_arg(args, int64_t); } else { value = va_arg(args, int); } currlen = fmtint(buffer, currlen, maxlen, value, 10, min, max, flags); break; case 'X': case 'x': case 'o': case 'u': if (ch == 'o') { base = 8; } else if (ch == 'x') { base = 16; } else if (ch == 'X') { base = 16; flags |= DP_F_UP; } else { base = 10; } flags |= DP_F_UNSIGNED; if (cflags == DP_C_INT16) { value = va_arg(args, uint32_t); } else if (cflags == DP_C_INT32) { value = va_arg(args, uint32_t); } else if (cflags == DP_C_INT64) { value = va_arg(args, uint64_t); } else { value = va_arg(args, unsigned int); } currlen = fmtint(buffer, currlen, maxlen, value, base, min, max, flags); break; case 'f': if (cflags == DP_C_LDOUBLE) { fvalue = va_arg(args, LDOUBLE); } else { fvalue = va_arg(args, double); } currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags); break; case 'E': flags |= DP_F_UP; case 'e': if (cflags == DP_C_LDOUBLE) { fvalue = va_arg(args, LDOUBLE); } else { fvalue = va_arg(args, double); } currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags); break; case 'G': flags |= DP_F_UP; case 'g': if (cflags == DP_C_LDOUBLE) { fvalue = va_arg(args, LDOUBLE); } else { fvalue = va_arg(args, double); } currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags); break; case 'c': outch(va_arg(args, int)); break; case 's': strvalue = va_arg(args, char *); currlen = fmtstr(buffer, currlen, maxlen, strvalue, flags, min, max); break; case 'p': flags |= DP_F_UNSIGNED; if (sizeof(char *) == 4) { value = va_arg(args, uint32_t); } else if (sizeof(char *) == 8) { value = va_arg(args, uint64_t); } else { value = 0; /* we have a problem */ } currlen = fmtint(buffer, currlen, maxlen, value, 16, min, max, flags); break; case 'n': if (cflags == DP_C_INT16) { int16_t *num; num = va_arg(args, int16_t *); #ifdef SECURITY_PROBLEM *num = currlen; #endif } else if (cflags == DP_C_INT32) { int32_t *num; num = va_arg(args, int32_t *); #ifdef SECURITY_PROBLEM *num = (int32_t)currlen; #endif } else if (cflags == DP_C_INT64) { int64_t *num; num = va_arg(args, int64_t *); #ifdef SECURITY_PROBLEM *num = (int64_t)currlen; #endif } else { int32_t *num; num = va_arg(args, int32_t *); #ifdef SECURITY_PROBLEM *num = (int32_t)currlen; #endif } break; case '%': outch(ch); break; case 'w': /* not supported yet, treat as next char */ ch = *format++; break; default: /* Unknown, skip */ break; } ch = *format++; state = DP_S_DEFAULT; flags = cflags = min = 0; max = -1; break; case DP_S_DONE: break; default: /* hmm? */ break; /* some picky compilers need this */ } } if (currlen < maxlen - 1) { buffer[currlen] = '\0'; } else { buffer[maxlen - 1] = '\0'; } return currlen; } static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen, const char *value, int flags, int min, int max) { int padlen, strln; /* amount to pad */ int cnt = 0; if (flags & DP_F_DOT && max < 0) { /* Max not specified */ max = 0; } else if (max < 0) { max = maxlen; } if (!value) { value = ""; } strln = strlen(value); if (strln > max) { strln = max; /* truncate to max */ } padlen = min - strln; if (padlen < 0) { padlen = 0; } if (flags & DP_F_MINUS) { padlen = -padlen; /* Left Justify */ } while (padlen > 0) { outch(' '); --padlen; } while (*value && (cnt < max)) { outch(*value++); ++cnt; } while (padlen < 0) { outch(' '); ++padlen; } return currlen; } /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */ static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen, int64_t value, int base, int min, int max, int flags) { int signvalue = 0; uint64_t uvalue; char convert[20]; int place = 0; int spadlen = 0; /* amount to space pad */ int zpadlen = 0; /* amount to zero pad */ int caps = 0; if (max < 0) { max = 0; } uvalue = value; if (!(flags & DP_F_UNSIGNED)) { if (value < 0) { signvalue = '-'; uvalue = -value; } else if (flags & DP_F_PLUS) { /* Do a sign (+/i) */ signvalue = '+'; } else if (flags & DP_F_SPACE) { signvalue = ' '; } } if (flags & DP_F_UP) { caps = 1; /* Should characters be upper case? */ } do { convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef") [uvalue % (unsigned)base]; uvalue = (uvalue / (unsigned)base); } while (uvalue && (place < 20)); if (place == 20) { place--; } convert[place] = 0; zpadlen = max - place; spadlen = min - MAX(max, place) - (signvalue ? 1 : 0); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) spadlen = 0; if (flags & DP_F_ZERO) { zpadlen = MAX(zpadlen, spadlen); spadlen = 0; } if (flags & DP_F_MINUS) spadlen = -spadlen; /* Left Justifty */ #ifdef DEBUG_SNPRINTF printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n", zpadlen, spadlen, min, max, place); #endif /* Spaces */ while (spadlen > 0) { outch(' '); --spadlen; } /* Sign */ if (signvalue) { outch(signvalue); } /* Zeros */ if (zpadlen > 0) { while (zpadlen > 0) { outch('0'); --zpadlen; } } /* Digits */ while (place > 0) { outch(convert[--place]); } /* Left Justified spaces */ while (spadlen < 0) { outch(' '); ++spadlen; } return currlen; } #ifdef FP_OUTPUT static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; if (value < 0) result = -value; return result; } static LDOUBLE pow10(int exp) { LDOUBLE result = 1; while (exp) { result *= 10; exp--; } return result; } static long round(LDOUBLE value) { long intpart; intpart = (long)value; value = value - intpart; if (value >= 0.5) intpart++; return intpart; } static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen, LDOUBLE fvalue, int min, int max, int flags) { int signvalue = 0; LDOUBLE ufvalue; #ifndef HAVE_FCVT char iconvert[20]; char fconvert[20]; #else char iconvert[311]; char fconvert[311]; char *result; char dummy[10]; int dec_pt, sig; int r_length; extern char *fcvt(double value, int ndigit, int *decpt, int *sign); #endif int iplace = 0; int fplace = 0; int padlen = 0; /* amount to pad */ int zpadlen = 0; int caps = 0; int64_t intpart; int64_t fracpart; /* * AIX manpage says the default is 0, but Solaris says the default * is 6, and sprintf on AIX defaults to 6 */ if (max < 0) max = 6; ufvalue = abs_val(fvalue); if (fvalue < 0) signvalue = '-'; else if (flags & DP_F_PLUS) /* Do a sign (+/i) */ signvalue = '+'; else if (flags & DP_F_SPACE) signvalue = ' '; #if 0 if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */ #endif #ifndef HAVE_FCVT intpart = (long)ufvalue; /* * Sorry, we only support 9 digits past the decimal because of our * conversion method */ if (max > 9) max = 9; /* We "cheat" by converting the fractional part to integer by * multiplying by a factor of 10 */ fracpart = round((pow10(max)) * (ufvalue - intpart)); if (fracpart >= pow10(max)) { intpart++; fracpart -= (int64_t)pow10(max); } #ifdef DEBUG_SNPRINTF printf("fmtfp: %g %d.%d min=%d max=%d\n", (double)fvalue, intpart, fracpart, min, max); #endif /* Convert integer part */ do { iconvert[iplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); } while (intpart && (iplace < 20)); if (iplace == 20) iplace--; iconvert[iplace] = 0; /* Convert fractional part */ do { fconvert[fplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fracpart && (fplace < 20)); if (fplace == 20) fplace--; fconvert[fplace] = 0; #else /* use fcvt() */ if (max > 310) max = 310; # ifdef HAVE_FCVTL result = fcvtl(ufvalue, max, &dec_pt, &sig); # else result = fcvt(ufvalue, max, &dec_pt, &sig); # endif if (!result) { r_length = 0; result = dummy; } else { r_length = strlen(result); } /* * Fix broken fcvt implementation returns.. */ if (r_length == 0) { result[0] = '0'; result[1] = '\0'; r_length = 1; } if (r_length < dec_pt) dec_pt = r_length; if (dec_pt <= 0) { iplace = 1; iconvert[0] = '0'; iconvert[1] = '\0'; fplace = 0; while (r_length) { fconvert[fplace++] = result[--r_length]; } while ((dec_pt < 0) && (fplace < max)) { fconvert[fplace++] = '0'; dec_pt++; } } else { int c; iplace = 0; for (c = dec_pt; c; iconvert[iplace++] = result[--c]); iconvert[iplace] = '\0'; result += dec_pt; fplace = 0; for (c = (r_length - dec_pt); c; fconvert[fplace++] = result[--c]); } #endif /* HAVE_FCVT */ /* -1 for decimal point, another -1 if we are printing a sign */ padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); zpadlen = max - fplace; if (zpadlen < 0) { zpadlen = 0; } if (padlen < 0) { padlen = 0; } if (flags & DP_F_MINUS) { padlen = -padlen; /* Left Justifty */ } if ((flags & DP_F_ZERO) && (padlen > 0)) { if (signvalue) { outch(signvalue); --padlen; signvalue = 0; } while (padlen > 0) { outch('0'); --padlen; } } while (padlen > 0) { outch(' '); --padlen; } if (signvalue) { outch(signvalue); } while (iplace > 0) { outch(iconvert[--iplace]); } #ifdef DEBUG_SNPRINTF printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen); #endif /* * Decimal point. This should probably use locale to find the correct * char to print out. */ if (max > 0) { outch('.'); while (fplace > 0) { outch(fconvert[--fplace]); } } while (zpadlen > 0) { outch('0'); --zpadlen; } while (padlen < 0) { outch(' '); ++padlen; } return currlen; } #endif /* FP_OUTPUT */ #ifdef TEST_PROGRAM #ifndef LONG_STRING #define LONG_STRING 1024 #endif int main(void) { char buf1[LONG_STRING]; char buf2[LONG_STRING]; #ifdef FP_OUTPUT char *fp_fmt[] = { "%-1.5f", "%1.5f", "%123.9f", "%10.5f", "% 10.5f", "%+22.9f", "%+4.9f", "%01.3f", "%4f", "%3.1f", "%3.2f", "%.0f", "%.1f", NULL }; double fp_nums[] = { -1.5, 134.21, 91340.2, 341.1234, 0203.9, 0.96, 0.996, 0.9996, 1.996, 4.136, 6442452944.1234, 0 }; #endif char *int_fmt[] = { "%-1.5d", "%1.5d", "%123.9d", "%5.5d", "%10.5d", "% 10.5d", "%+22.33d", "%01.3d", "%4d", "%-1.5ld", "%1.5ld", "%123.9ld", "%5.5ld", "%10.5ld", "% 10.5ld", "%+22.33ld", "%01.3ld", "%4ld", NULL }; long int_nums[] = { -1, 134, 91340, 341, 0203, 0 }; char *ll_fmt[] = { "%-1.8lld", "%1.8lld", "%123.9lld", "%5.8lld", "%10.5lld", "% 10.8lld", "%+22.33lld", "%01.3lld", "%4lld", NULL }; int64_t ll_nums[] = { -1976, 789134567890LL, 91340, 34123, 0203, 0 }; char *s_fmt[] = { "%-1.8s", "%1.8s", "%123.9s", "%5.8s", "%10.5s", "% 10.3s", "%+22.1s", "%01.3s", "%s", "%10s", "%3s", "%3.0s", "%3.s", NULL }; char *s_nums[] = { "abc", "def", "ghi", "123", "4567", "a", "bb", "ccccccc", NULL}; int x, y; int fail = 0; int num = 0; printf("Testing snprintf format codes against system sprintf...\n"); #ifdef FP_OUTPUT for (x = 0; fp_fmt[x] != NULL; x++) for (y = 0; fp_nums[y] != 0; y++) { bsnprintf(buf1, sizeof(buf1), fp_fmt[x], fp_nums[y]); sprintf(buf2, fp_fmt[x], fp_nums[y]); if (strcmp(buf1, buf2)) { printf ("snprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n", fp_fmt[x], buf1, buf2); fail++; } num++; } #endif for (x = 0; int_fmt[x] != NULL; x++) for (y = 0; int_nums[y] != 0; y++) { int pcount, bcount; bcount = bsnprintf(buf1, sizeof(buf1), int_fmt[x], int_nums[y]); printf("%s\n", buf1); pcount = sprintf(buf2, int_fmt[x], int_nums[y]); if (bcount != pcount) { printf("bsnprintf count %d doesn't match sprintf count %d\n", bcount, pcount); } if (strcmp(buf1, buf2)) { printf ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n", int_fmt[x], buf1, buf2); fail++; } num++; } for (x = 0; ll_fmt[x] != NULL; x++) { for (y = 0; ll_nums[y] != 0; y++) { int pcount, bcount; bcount = bsnprintf(buf1, sizeof(buf1), ll_fmt[x], ll_nums[y]); printf("%s\n", buf1); pcount = sprintf(buf2, ll_fmt[x], ll_nums[y]); if (bcount != pcount) { printf("bsnprintf count %d doesn't match sprintf count %d\n", bcount, pcount); } if (strcmp(buf1, buf2)) { printf ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n", ll_fmt[x], buf1, buf2); fail++; } num++; } } for (x = 0; s_fmt[x] != NULL; x++) { for (y = 0; s_nums[y] != 0; y++) { int pcount, bcount; bcount = bsnprintf(buf1, sizeof(buf1), s_fmt[x], s_nums[y]); printf("%s\n", buf1); pcount = sprintf(buf2, s_fmt[x], s_nums[y]); if (bcount != pcount) { printf("bsnprintf count %d doesn't match sprintf count %d\n", bcount, pcount); } if (strcmp(buf1, buf2)) { printf ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n", s_fmt[x], buf1, buf2); fail++; } num++; } } printf("%d tests failed out of %d.\n", fail, num); } #endif /* TEST_PROGRAM */ #endif /* USE_BSNPRINTF */