/src/dng_sdk/source/dng_safe_arithmetic.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | #include "dng_safe_arithmetic.h" |
2 | | |
3 | | #include <cmath> |
4 | | #include <limits> |
5 | | |
6 | | #include "dng_exceptions.h" |
7 | | |
8 | | // Implementation of safe integer arithmetic follows guidelines from |
9 | | // https://www.securecoding.cert.org/confluence/display/c/INT30-C.+Ensure+that+unsigned+integer+operations+do+not+wrap |
10 | | // and |
11 | | // https://www.securecoding.cert.org/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow |
12 | | |
13 | | namespace { |
14 | | |
15 | | // Template functions for safe arithmetic. These functions are not exposed in |
16 | | // the header for the time being to avoid having to add checks for the various |
17 | | // constraints on the template argument (e.g. that it is integral and possibly |
18 | | // signed or unsigned only). This should be done using a static_assert(), but |
19 | | // we want to be portable to pre-C++11 compilers. |
20 | | |
21 | | // Returns the result of adding arg1 and arg2 if it will fit in a T (where T is |
22 | | // a signed or unsigned integer type). Otherwise, throws a dng_exception with |
23 | | // error code dng_error_unknown. |
24 | | template <class T> |
25 | 843M | T SafeAdd(T arg1, T arg2) { |
26 | | // The condition is reformulated relative to the version on |
27 | | // www.securecoding.cert.org to check for valid instead of invalid cases. It |
28 | | // seems safer to enumerate the valid cases (and potentially miss one) than |
29 | | // enumerate the invalid cases. |
30 | | // If T is an unsigned type, the second half of the condition always evaluates |
31 | | // to false and will presumably be compiled out by the compiler. |
32 | 843M | if ((arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) || |
33 | 843M | (arg1 < 0 && arg2 >= std::numeric_limits<T>::min() - arg1)) { |
34 | 843M | return arg1 + arg2; |
35 | 843M | } else { |
36 | 2.06k | ThrowProgramError("Arithmetic overflow"); |
37 | 2.06k | abort(); // Never reached. |
38 | 2.06k | } |
39 | 843M | } dng_safe_arithmetic.cpp:int (anonymous namespace)::SafeAdd<int>(int, int) Line | Count | Source | 25 | 5.28M | T SafeAdd(T arg1, T arg2) { | 26 | | // The condition is reformulated relative to the version on | 27 | | // www.securecoding.cert.org to check for valid instead of invalid cases. It | 28 | | // seems safer to enumerate the valid cases (and potentially miss one) than | 29 | | // enumerate the invalid cases. | 30 | | // If T is an unsigned type, the second half of the condition always evaluates | 31 | | // to false and will presumably be compiled out by the compiler. | 32 | 5.28M | if ((arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) || | 33 | 5.28M | (arg1 < 0 && arg2 >= std::numeric_limits<T>::min() - arg1)) { | 34 | 5.28M | return arg1 + arg2; | 35 | 5.28M | } else { | 36 | 0 | ThrowProgramError("Arithmetic overflow"); | 37 | 0 | abort(); // Never reached. | 38 | 0 | } | 39 | 5.28M | } |
dng_safe_arithmetic.cpp:long (anonymous namespace)::SafeAdd<long>(long, long) Line | Count | Source | 25 | 831M | T SafeAdd(T arg1, T arg2) { | 26 | | // The condition is reformulated relative to the version on | 27 | | // www.securecoding.cert.org to check for valid instead of invalid cases. It | 28 | | // seems safer to enumerate the valid cases (and potentially miss one) than | 29 | | // enumerate the invalid cases. | 30 | | // If T is an unsigned type, the second half of the condition always evaluates | 31 | | // to false and will presumably be compiled out by the compiler. | 32 | 831M | if ((arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) || | 33 | 831M | (arg1 < 0 && arg2 >= std::numeric_limits<T>::min() - arg1)) { | 34 | 831M | return arg1 + arg2; | 35 | 831M | } else { | 36 | 0 | ThrowProgramError("Arithmetic overflow"); | 37 | 0 | abort(); // Never reached. | 38 | 0 | } | 39 | 831M | } |
dng_safe_arithmetic.cpp:unsigned int (anonymous namespace)::SafeAdd<unsigned int>(unsigned int, unsigned int) Line | Count | Source | 25 | 6.53M | T SafeAdd(T arg1, T arg2) { | 26 | | // The condition is reformulated relative to the version on | 27 | | // www.securecoding.cert.org to check for valid instead of invalid cases. It | 28 | | // seems safer to enumerate the valid cases (and potentially miss one) than | 29 | | // enumerate the invalid cases. | 30 | | // If T is an unsigned type, the second half of the condition always evaluates | 31 | | // to false and will presumably be compiled out by the compiler. | 32 | 6.53M | if ((arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) || | 33 | 6.53M | (arg1 < 0 && arg2 >= std::numeric_limits<T>::min() - arg1)) { | 34 | 6.52M | return arg1 + arg2; | 35 | 6.52M | } else { | 36 | 2.03k | ThrowProgramError("Arithmetic overflow"); | 37 | 2.03k | abort(); // Never reached. | 38 | 2.03k | } | 39 | 6.53M | } |
dng_safe_arithmetic.cpp:unsigned long (anonymous namespace)::SafeAdd<unsigned long>(unsigned long, unsigned long) Line | Count | Source | 25 | 236k | T SafeAdd(T arg1, T arg2) { | 26 | | // The condition is reformulated relative to the version on | 27 | | // www.securecoding.cert.org to check for valid instead of invalid cases. It | 28 | | // seems safer to enumerate the valid cases (and potentially miss one) than | 29 | | // enumerate the invalid cases. | 30 | | // If T is an unsigned type, the second half of the condition always evaluates | 31 | | // to false and will presumably be compiled out by the compiler. | 32 | 236k | if ((arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) || | 33 | 236k | (arg1 < 0 && arg2 >= std::numeric_limits<T>::min() - arg1)) { | 34 | 236k | return arg1 + arg2; | 35 | 236k | } else { | 36 | 23 | ThrowProgramError("Arithmetic overflow"); | 37 | 23 | abort(); // Never reached. | 38 | 23 | } | 39 | 236k | } |
|
40 | | |
41 | | // Returns the result of multiplying arg1 and arg2 if it will fit in a T (where |
42 | | // T is an unsigned integer type). Otherwise, throws a dng_exception with error |
43 | | // code dng_error_unknown. |
44 | | template <class T> |
45 | 47.3M | T SafeUnsignedMult(T arg1, T arg2) { |
46 | 47.3M | if (arg1 == 0 || arg2 <= std::numeric_limits<T>::max() / arg1) { |
47 | 47.3M | return arg1 * arg2; |
48 | 47.3M | } else { |
49 | 35.1k | ThrowProgramError("Arithmetic overflow"); |
50 | 35.1k | abort(); // Never reached. |
51 | 35.1k | } |
52 | 47.3M | } dng_safe_arithmetic.cpp:unsigned int (anonymous namespace)::SafeUnsignedMult<unsigned int>(unsigned int, unsigned int) Line | Count | Source | 45 | 47.0M | T SafeUnsignedMult(T arg1, T arg2) { | 46 | 47.0M | if (arg1 == 0 || arg2 <= std::numeric_limits<T>::max() / arg1) { | 47 | 47.0M | return arg1 * arg2; | 48 | 47.0M | } else { | 49 | 35.1k | ThrowProgramError("Arithmetic overflow"); | 50 | 35.1k | abort(); // Never reached. | 51 | 35.1k | } | 52 | 47.0M | } |
dng_safe_arithmetic.cpp:unsigned long (anonymous namespace)::SafeUnsignedMult<unsigned long>(unsigned long, unsigned long) Line | Count | Source | 45 | 296k | T SafeUnsignedMult(T arg1, T arg2) { | 46 | 296k | if (arg1 == 0 || arg2 <= std::numeric_limits<T>::max() / arg1) { | 47 | 296k | return arg1 * arg2; | 48 | 296k | } else { | 49 | 0 | ThrowProgramError("Arithmetic overflow"); | 50 | 0 | abort(); // Never reached. | 51 | 0 | } | 52 | 296k | } |
|
53 | | |
54 | | } // namespace |
55 | | |
56 | 0 | bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result) { |
57 | 0 | try { |
58 | 0 | *result = SafeInt32Add(arg1, arg2); |
59 | 0 | return true; |
60 | 0 | } catch (const dng_exception &) { |
61 | 0 | return false; |
62 | 0 | } |
63 | 0 | } |
64 | | |
65 | 5.28M | std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2) { |
66 | 5.28M | return SafeAdd<std::int32_t>(arg1, arg2); |
67 | 5.28M | } |
68 | | |
69 | 831M | std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2) { |
70 | 831M | return SafeAdd<std::int64_t>(arg1, arg2); |
71 | 831M | } |
72 | | |
73 | | bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2, |
74 | 654k | std::uint32_t *result) { |
75 | 654k | try { |
76 | 654k | *result = SafeUint32Add(arg1, arg2); |
77 | 654k | return true; |
78 | 654k | } catch (const dng_exception &) { |
79 | 1.06k | return false; |
80 | 1.06k | } |
81 | 654k | } |
82 | | |
83 | 6.53M | std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2) { |
84 | 6.53M | return SafeAdd<std::uint32_t>(arg1, arg2); |
85 | 6.53M | } |
86 | | |
87 | 236k | std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2) { |
88 | 236k | return SafeAdd<std::uint64_t>(arg1, arg2); |
89 | 236k | } |
90 | | |
91 | 64.7M | bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result) { |
92 | 64.7M | if ((arg2 >= 0 && arg1 >= std::numeric_limits<int32_t>::min() + arg2) || |
93 | 64.7M | (arg2 < 0 && arg1 <= std::numeric_limits<int32_t>::max() + arg2)) { |
94 | 64.7M | *result = arg1 - arg2; |
95 | 64.7M | return true; |
96 | 64.7M | } else { |
97 | 177 | return false; |
98 | 177 | } |
99 | 64.7M | } |
100 | | |
101 | 1.76M | std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2) { |
102 | 1.76M | std::int32_t result = 0; |
103 | | |
104 | 1.76M | if (!SafeInt32Sub(arg1, arg2, &result)) { |
105 | 0 | ThrowProgramError("Arithmetic overflow"); |
106 | 0 | } |
107 | | |
108 | 1.76M | return result; |
109 | 1.76M | } |
110 | | |
111 | 1.62M | std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2) { |
112 | 1.62M | if (arg1 >= arg2) { |
113 | 1.62M | return arg1 - arg2; |
114 | 1.62M | } else { |
115 | 3.25k | ThrowProgramError("Arithmetic overflow"); |
116 | 3.25k | abort(); // Never reached. |
117 | 3.25k | } |
118 | 1.62M | } |
119 | | |
120 | | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
121 | 5.23M | std::uint32_t *result) { |
122 | 5.23M | try { |
123 | 5.23M | *result = SafeUint32Mult(arg1, arg2); |
124 | 5.23M | return true; |
125 | 5.23M | } catch (const dng_exception &) { |
126 | 450 | return false; |
127 | 450 | } |
128 | 5.23M | } |
129 | | |
130 | | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, |
131 | 0 | std::uint32_t *result) { |
132 | 0 | try { |
133 | 0 | *result = SafeUint32Mult(arg1, arg2, arg3); |
134 | 0 | return true; |
135 | 0 | } catch (const dng_exception &) { |
136 | 0 | return false; |
137 | 0 | } |
138 | 0 | } |
139 | | |
140 | | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, |
141 | 0 | std::uint32_t arg4, std::uint32_t *result) { |
142 | 0 | try { |
143 | 0 | *result = SafeUint32Mult(arg1, arg2, arg3, arg4); |
144 | 0 | return true; |
145 | 0 | } catch (const dng_exception &) { |
146 | 0 | return false; |
147 | 0 | } |
148 | 0 | } |
149 | | |
150 | 47.0M | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2) { |
151 | 47.0M | return SafeUnsignedMult<std::uint32_t>(arg1, arg2); |
152 | 47.0M | } |
153 | | |
154 | | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
155 | 279k | std::uint32_t arg3) { |
156 | 279k | return SafeUint32Mult(SafeUint32Mult(arg1, arg2), arg3); |
157 | 279k | } |
158 | | |
159 | | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
160 | 182k | std::uint32_t arg3, std::uint32_t arg4) { |
161 | 182k | return SafeUint32Mult(SafeUint32Mult(arg1, arg2, arg3), arg4); |
162 | 182k | } |
163 | | |
164 | 2.22k | std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2) { |
165 | 2.22k | const std::int64_t tmp = |
166 | 2.22k | static_cast<std::int64_t>(arg1) * static_cast<std::int64_t>(arg2); |
167 | 2.22k | if (tmp >= std::numeric_limits<std::int32_t>::min() && |
168 | 2.22k | tmp <= std::numeric_limits<std::int32_t>::max()) { |
169 | 1.94k | return static_cast<std::int32_t>(tmp); |
170 | 1.94k | } else { |
171 | 276 | ThrowProgramError("Arithmetic overflow"); |
172 | 276 | abort(); |
173 | 276 | } |
174 | 2.22k | } |
175 | | |
176 | 296k | std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2) { |
177 | 296k | return SafeUnsignedMult<std::size_t>(arg1, arg2); |
178 | 296k | } |
179 | | |
180 | | namespace dng_internal { |
181 | | |
182 | 0 | std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2) { |
183 | 0 | bool overflow = true; |
184 | |
|
185 | 0 | if (arg1 > 0) { |
186 | 0 | if (arg2 > 0) { |
187 | 0 | overflow = (arg1 > std::numeric_limits<std::int64_t>::max() / arg2); |
188 | 0 | } else { |
189 | 0 | overflow = (arg2 < std::numeric_limits<std::int64_t>::min() / arg1); |
190 | 0 | } |
191 | 0 | } else { |
192 | 0 | if (arg2 > 0) { |
193 | 0 | overflow = (arg1 < std::numeric_limits<std::int64_t>::min() / arg2); |
194 | 0 | } else { |
195 | 0 | overflow = (arg1 != 0 && |
196 | 0 | arg2 < std::numeric_limits<std::int64_t>::max() / arg1); |
197 | 0 | } |
198 | 0 | } |
199 | |
|
200 | 0 | if (overflow) { |
201 | 0 | ThrowProgramError("Arithmetic overflow"); |
202 | 0 | abort(); // Never reached. |
203 | 0 | } else { |
204 | 0 | return arg1 * arg2; |
205 | 0 | } |
206 | 0 | } |
207 | | |
208 | | } // namespace dng_internal |
209 | | |
210 | 288k | std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2) { |
211 | | // It might seem more intuitive to implement this function simply as |
212 | | // |
213 | | // return arg2 == 0 ? 0 : (arg1 + arg2 - 1) / arg2; |
214 | | // |
215 | | // but the expression "arg1 + arg2" can wrap around. |
216 | | |
217 | 288k | if (arg2 == 0) { |
218 | 0 | ThrowProgramError("Division by zero"); |
219 | 0 | abort(); // Never reached. |
220 | 288k | } else if (arg1 == 0) { |
221 | | // If arg1 is zero, return zero to avoid wraparound in the expression |
222 | | // "arg1 - 1" below. |
223 | 369 | return 0; |
224 | 288k | } else { |
225 | 288k | return (arg1 - 1) / arg2 + 1; |
226 | 288k | } |
227 | 288k | } |
228 | | |
229 | | bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of, |
230 | 3.62M | std::uint32_t *result) { |
231 | 3.62M | try { |
232 | 3.62M | *result = RoundUpUint32ToMultiple(val, multiple_of); |
233 | 3.62M | return true; |
234 | 3.62M | } catch (const dng_exception &) { |
235 | 0 | return false; |
236 | 0 | } |
237 | 3.62M | } |
238 | | |
239 | | std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val, |
240 | 3.68M | std::uint32_t multiple_of) { |
241 | 3.68M | if (multiple_of == 0) { |
242 | 0 | ThrowProgramError("multiple_of is zero in RoundUpUint32ToMultiple"); |
243 | 0 | } |
244 | | |
245 | 3.68M | const std::uint32_t remainder = val % multiple_of; |
246 | 3.68M | if (remainder == 0) { |
247 | 2.32M | return val; |
248 | 2.32M | } else { |
249 | 1.36M | return SafeUint32Add(val, multiple_of - remainder); |
250 | 1.36M | } |
251 | 3.68M | } |
252 | | |
253 | 11.8M | bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result) { |
254 | 11.8M | try { |
255 | 11.8M | *result = ConvertUint32ToInt32(val); |
256 | 11.8M | return true; |
257 | 11.8M | } catch (const dng_exception &) { |
258 | 12 | return false; |
259 | 12 | } |
260 | 11.8M | } |
261 | | |
262 | 13.6M | std::int32_t ConvertUint32ToInt32(std::uint32_t val) { |
263 | 13.6M | const std::uint32_t kInt32MaxAsUint32 = |
264 | 13.6M | static_cast<std::uint32_t>(std::numeric_limits<std::int32_t>::max()); |
265 | | |
266 | 13.6M | if (val <= kInt32MaxAsUint32) { |
267 | 13.6M | return static_cast<std::int32_t>(val); |
268 | 13.6M | } else { |
269 | 25 | ThrowProgramError("Arithmetic overflow"); |
270 | 25 | abort(); // Never reached. |
271 | 25 | } |
272 | 13.6M | } |
273 | | |
274 | 161k | std::int32_t ConvertDoubleToInt32(double val) { |
275 | 161k | const double kMin = |
276 | 161k | static_cast<double>(std::numeric_limits<std::int32_t>::min()); |
277 | 161k | const double kMax = |
278 | 161k | static_cast<double>(std::numeric_limits<std::int32_t>::max()); |
279 | | // NaNs will fail this test; they always compare false. |
280 | 161k | if (val > kMin - 1.0 && val < kMax + 1.0) { |
281 | 154k | return static_cast<std::int32_t>(val); |
282 | 154k | } else { |
283 | 6.74k | ThrowProgramError("Argument not in range in ConvertDoubleToInt32"); |
284 | 6.74k | abort(); // Never reached. |
285 | 6.74k | } |
286 | 161k | } |
287 | | |
288 | 664M | std::uint32_t ConvertDoubleToUint32(double val) { |
289 | 664M | const double kMax = |
290 | 664M | static_cast<double>(std::numeric_limits<std::uint32_t>::max()); |
291 | | // NaNs will fail this test; they always compare false. |
292 | 664M | if (val >= 0.0 && val < kMax + 1.0) { |
293 | 664M | return static_cast<std::uint32_t>(val); |
294 | 664M | } else { |
295 | 1.20k | ThrowProgramError("Argument not in range in ConvertDoubleToUint32"); |
296 | 1.20k | abort(); // Never reached. |
297 | 1.20k | } |
298 | 664M | } |
299 | | |
300 | 10.3k | float ConvertDoubleToFloat(double val) { |
301 | 10.3k | const double kMax = std::numeric_limits<float>::max(); |
302 | 10.3k | if (val > kMax) { |
303 | 220 | return std::numeric_limits<float>::infinity(); |
304 | 10.0k | } else if (val < -kMax) { |
305 | 517 | return -std::numeric_limits<float>::infinity(); |
306 | 9.56k | } else { |
307 | | // The cases that end up here are: |
308 | | // - values in [-kMax, kMax] |
309 | | // - NaN (because it always compares false) |
310 | 9.56k | return static_cast<float>(val); |
311 | 9.56k | } |
312 | 10.3k | } |