/*

 * Copyright © 2007, 2008 Ryan Lortie

 * Copyright © 2010 Codethink Limited

 * Copyright © 2020 William Manley

 *

 * SPDX-License-Identifier: LGPL-2.1-or-later

 *

 * This library is free software; you can redistribute it and/or

 * modify it under the terms of the GNU Lesser General Public

 * License as published by the Free Software Foundation; either

 * version 2.1 of the License, or (at your option) any later version.

 *

 * This library is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * Lesser General Public License for more details.

 *

 * You should have received a copy of the GNU Lesser General Public

 * License along with this library; if not, see <http://www.gnu.org/licenses/>.

 *

 * Author: Ryan Lortie <desrt@desrt.ca>

 */

/* Prologue {{{1 */

#include "config.h"

#include "gvariant-serialiser.h"

#include <glib/gvariant-internal.h>

#include <glib/gtestutils.h>

#include <glib/gstrfuncs.h>

#include <glib/gtypes.h>

#include <string.h>

/* GVariantSerialiser

 *

 * After this prologue section, this file has roughly 2 parts.

 *

 * The first part is split up into sections according to various

 * container types.  Maybe, Array, Tuple, Variant.  The Maybe and Array

 * sections are subdivided for element types being fixed or

 * variable-sized types.

 *

 * Each section documents the format of that particular type of

 * container and implements 5 functions for dealing with it:

 *

 *  n_children:

 *    - determines (according to serialized data) how many child values

 *      are inside a particular container value.

 *

 *  get_child:

 *    - gets the type of and the serialized data corresponding to a

 *      given child value within the container value.

 *

 *  needed_size:

 *    - determines how much space would be required to serialize a

 *      container of this type, containing the given children so that

 *      buffers can be preallocated before serializing.

 *

 *  serialise:

 *    - write the serialized data for a container of this type,

 *      containing the given children, to a buffer.

 *

 *  is_normal:

 *    - check the given data to ensure that it is in normal form.  For a

 *      given set of child values, there is exactly one normal form for

 *      the serialized data of a container.  Other forms are possible

 *      while maintaining the same children (for example, by inserting

 *      something other than zero bytes as padding) but only one form is

 *      the normal form.

 *

 * The second part contains the main entry point for each of the above 5

 * functions and logic to dispatch it to the handler for the appropriate

 * container type code.

 *

 * The second part also contains a routine to byteswap serialized

 * values.  This code makes use of the n_children() and get_child()

 * functions above to do its work so no extra support is needed on a

 * per-container-type basis.

 *

 * There is also additional code for checking for normal form.  All

 * numeric types are always in normal form since the full range of

 * values is permitted (eg: 0 to 255 is a valid byte).  Special checks

 * need to be performed for booleans (only 0 or 1 allowed), strings

 * (properly nul-terminated) and object paths and signature strings

 * (meeting the D-Bus specification requirements).  Depth checks need to be

 * performed for nested types (arrays, tuples, and variants), to avoid massive

 * recursion which could exhaust our stack when handling untrusted input.

 */

/* < private >

 * GVariantSerialised:

 * @type_info: the #GVariantTypeInfo of this value

 * @data: (nullable): the serialized data of this value, or %NULL

 * @size: the size of this value

 *

 * A structure representing a GVariant in serialized form.  This

 * structure is used with #GVariantSerialisedFiller functions and as the

 * primary interface to the serializer.  See #GVariantSerialisedFiller

 * for a description of its use there.

 *

 * When used with the serializer API functions, the following invariants

 * apply to all #GVariantTypeSerialised structures passed to and

 * returned from the serializer.

 *

 * @type_info must be non-%NULL.

 *

 * @data must be properly aligned for the type described by @type_info.

 *

 * If @type_info describes a fixed-sized type then @size must always be

 * equal to the fixed size of that type.

 *

 * For fixed-sized types (and only fixed-sized types), @data may be

 * %NULL even if @size is non-zero.  This happens when a framing error

 * occurs while attempting to extract a fixed-sized value out of a

 * variable-sized container.  There is no data to return for the

 * fixed-sized type, yet @size must be non-zero.  The effect of this

 * combination should be as if @data were a pointer to an

 * appropriately-sized zero-filled region.

 *

 * @depth has no restrictions; the depth of a top-level serialized #GVariant is

 * zero, and it increases for each level of nested child.

 *

 * @checked_offsets_up_to is always ≥ @ordered_offsets_up_to

 */

/* < private >

 * g_variant_serialised_check:

 * @serialised: a #GVariantSerialised struct

 *

 * Checks @serialised for validity according to the invariants described

 * above.

 *

 * Returns: %TRUE if @serialised is valid; %FALSE otherwise

 */

gboolean

g_variant_serialised_check (GVariantSerialised serialised)

{

  gsize fixed_size;

  guint alignment;

  if (serialised.type_info == NULL)

    return FALSE;

  g_variant_type_info_query (serialised.type_info, &alignment, &fixed_size);

  if (fixed_size != 0 && serialised.size != fixed_size)

    return FALSE;

  else if (fixed_size == 0 &&

           !(serialised.size == 0 || serialised.data != NULL))

    return FALSE;

  if (serialised.ordered_offsets_up_to > serialised.checked_offsets_up_to)

    return FALSE;

  /* Depending on the native alignment requirements of the machine, the

   * compiler will insert either 3 or 7 padding bytes after the char.

   * This will result in the sizeof() the struct being 12 or 16.

   * Subtract 9 to get 3 or 7 which is a nice bitmask to apply to get

   * the alignment bits that we "care about" being zero: in the

   * 4-aligned case, we care about 2 bits, and in the 8-aligned case, we

   * care about 3 bits.

   */

  alignment &= sizeof (struct {

                         char a;

                         union {

                           guint64 x;

                           void *y;

                           gdouble z;

                         } b;

                       }

                      ) - 9;

  /* Some OSes (FreeBSD is a known example) have a malloc() that returns

   * unaligned memory if you request small sizes.  'malloc (1);', for

   * example, has been seen to return pointers aligned to 6 mod 16.

   *

   * Check if this is a small allocation and return without enforcing

   * the alignment assertion if this is the case.

   */

  return (serialised.size <= alignment ||

          (alignment & (gsize) serialised.data) == 0);

}

/* < private >

 * GVariantSerialisedFiller:

 * @serialised: a #GVariantSerialised instance to fill

 * @data: data from the children array

 *

 * This function is called back from g_variant_serialiser_needed_size()

 * and g_variant_serialiser_serialise().  It fills in missing details

 * from a partially-complete #GVariantSerialised.

 *

 * The @data parameter passed back to the function is one of the items

 * that was passed to the serializer in the @children array.  It

 * represents a single child item of the container that is being

 * serialized.  The information filled in to @serialised is the

 * information for this child.

 *

 * If the @type_info field of @serialised is %NULL then the callback

 * function must set it to the type information corresponding to the

 * type of the child.  No reference should be added.  If it is non-%NULL

 * then the callback should assert that it is equal to the actual type

 * of the child.

 *

 * If the @size field is zero then the callback must fill it in with the

 * required amount of space to store the serialized form of the child.

 * If it is non-zero then the callback should assert that it is equal to

 * the needed size of the child.

 *

 * If @data is non-%NULL then it points to a space that is properly

 * aligned for and large enough to store the serialized data of the

 * child.  The callback must store the serialized form of the child at

 * @data.

 *

 * If the child value is another container then the callback will likely

 * recurse back into the serializer by calling

 * g_variant_serialiser_needed_size() to determine @size and

 * g_variant_serialiser_serialise() to write to @data.

 */

/* PART 1: Container types {{{1

 *

 * This section contains the serializer implementation functions for

 * each container type.

 */

/* Maybe {{{2

 *

 * Maybe types are handled depending on if the element type of the maybe

 * type is a fixed-sized or variable-sized type.  Although all maybe

 * types themselves are variable-sized types, herein, a maybe value with

 * a fixed-sized element type is called a "fixed-sized maybe" for

 * convenience and a maybe value with a variable-sized element type is

 * called a "variable-sized maybe".

 */

/* Fixed-sized Maybe {{{3

 *

 * The size of a maybe value with a fixed-sized element type is either 0

 * or equal to the fixed size of its element type.  The case where the

 * size of the maybe value is zero corresponds to the "Nothing" case and

 * the case where the size of the maybe value is equal to the fixed size

 * of the element type corresponds to the "Just" case; in that case, the

 * serialized data of the child value forms the entire serialized data

 * of the maybe value.

 *

 * In the event that a fixed-sized maybe value is presented with a size

 * that is not equal to the fixed size of the element type then the

 * value must be taken to be "Nothing".

 */

static gsize

gvs_fixed_sized_maybe_n_children (GVariantSerialised value)

{

  gsize element_fixed_size;

  g_variant_type_info_query_element (value.type_info, NULL,

                                     &element_fixed_size);

  return (element_fixed_size == value.size) ? 1 : 0;

}

static GVariantSerialised

gvs_fixed_sized_maybe_get_child (GVariantSerialised value,

                                 gsize              index_)

{

  /* the child has the same bounds as the

   * container, so just update the type.

   */

  value.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_ref (value.type_info);

  value.depth++;

  value.ordered_offsets_up_to = 0;

  value.checked_offsets_up_to = 0;

  return value;

}

static gsize

gvs_fixed_sized_maybe_needed_size (GVariantTypeInfo         *type_info,

                                   GVariantSerialisedFiller  gvs_filler,

                                   const gpointer           *children,

                                   gsize                     n_children)

{

  if (n_children)

    {

      gsize element_fixed_size;

      g_variant_type_info_query_element (type_info, NULL,

                                         &element_fixed_size);

      return element_fixed_size;

    }

  else

    return 0;

}

static void

gvs_fixed_sized_maybe_serialise (GVariantSerialised        value,

                                 GVariantSerialisedFiller  gvs_filler,

                                 const gpointer           *children,

                                 gsize                     n_children)

{

  if (n_children)

    {

      GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0, 0 };

      gvs_filler (&child, children[0]);

    }

}

static gboolean

gvs_fixed_sized_maybe_is_normal (GVariantSerialised value)

{

  if (value.size > 0)

    {

      gsize element_fixed_size;

      g_variant_type_info_query_element (value.type_info,

                                         NULL, &element_fixed_size);

      if (value.size != element_fixed_size)

        return FALSE;

      /* proper element size: "Just".  recurse to the child. */

      value.type_info = g_variant_type_info_element (value.type_info);

      value.depth++;

      value.ordered_offsets_up_to = 0;

      value.checked_offsets_up_to = 0;

      return g_variant_serialised_is_normal (value);

    }

  /* size of 0: "Nothing" */

  return TRUE;

}

/* Variable-sized Maybe

 *

 * The size of a maybe value with a variable-sized element type is

 * either 0 or strictly greater than 0.  The case where the size of the

 * maybe value is zero corresponds to the "Nothing" case and the case

 * where the size of the maybe value is greater than zero corresponds to

 * the "Just" case; in that case, the serialized data of the child value

 * forms the first part of the serialized data of the maybe value and is

 * followed by a single zero byte.  This zero byte is always appended,

 * regardless of any zero bytes that may already be at the end of the

 * serialized ata of the child value.

 */

static gsize

gvs_variable_sized_maybe_n_children (GVariantSerialised value)

{

  return (value.size > 0) ? 1 : 0;

}

static GVariantSerialised

gvs_variable_sized_maybe_get_child (GVariantSerialised value,

                                    gsize              index_)

{

  /* remove the padding byte and update the type. */

  value.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_ref (value.type_info);

  value.size--;

  /* if it's zero-sized then it may as well be NULL */

  if (value.size == 0)

    value.data = NULL;

  value.depth++;

  value.ordered_offsets_up_to = 0;

  value.checked_offsets_up_to = 0;

  return value;

}

static gsize

gvs_variable_sized_maybe_needed_size (GVariantTypeInfo         *type_info,

                                      GVariantSerialisedFiller  gvs_filler,

                                      const gpointer           *children,

                                      gsize                     n_children)

{

  if (n_children)

    {

      GVariantSerialised child = { 0, };

      gvs_filler (&child, children[0]);

      return child.size + 1;

    }

  else

    return 0;

}

static void

gvs_variable_sized_maybe_serialise (GVariantSerialised        value,

                                    GVariantSerialisedFiller  gvs_filler,

                                    const gpointer           *children,

                                    gsize                     n_children)

{

  if (n_children)

    {

      GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0, 0 };

      /* write the data for the child.  */

      gvs_filler (&child, children[0]);

      value.data[child.size] = '\0';

    }

}

static gboolean

gvs_variable_sized_maybe_is_normal (GVariantSerialised value)

{

  if (value.size == 0)

    return TRUE;

  if (value.data[value.size - 1] != '\0')

    return FALSE;

  value.type_info = g_variant_type_info_element (value.type_info);

  value.size--;

  value.depth++;

  value.ordered_offsets_up_to = 0;

  value.checked_offsets_up_to = 0;

  return g_variant_serialised_is_normal (value);

}

/* Arrays {{{2

 *

 * Just as with maybe types, array types are handled depending on if the

 * element type of the array type is a fixed-sized or variable-sized

 * type.  Similar to maybe types, for convenience, an array value with a

 * fixed-sized element type is called a "fixed-sized array" and an array

 * value with a variable-sized element type is called a "variable sized

 * array".

 */

/* Fixed-sized Array {{{3

 *

 * For fixed sized arrays, the serialized data is simply a concatenation

 * of the serialized data of each element, in order.  Since fixed-sized

 * values always have a fixed size that is a multiple of their alignment

 * requirement no extra padding is required.

 *

 * In the event that a fixed-sized array is presented with a size that

 * is not an integer multiple of the element size then the value of the

 * array must be taken as being empty.

 */

static gsize

gvs_fixed_sized_array_n_children (GVariantSerialised value)

{

  gsize element_fixed_size;

  g_variant_type_info_query_element (value.type_info, NULL,

                                     &element_fixed_size);

  if (value.size % element_fixed_size == 0)

    return value.size / element_fixed_size;

  return 0;

}

static GVariantSerialised

gvs_fixed_sized_array_get_child (GVariantSerialised value,

                                 gsize              index_)

{

  GVariantSerialised child = { 0, };

  child.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_query (child.type_info, NULL, &child.size);

  child.data = value.data + (child.size * index_);

  g_variant_type_info_ref (child.type_info);

  child.depth = value.depth + 1;

  return child;

}

static gsize

gvs_fixed_sized_array_needed_size (GVariantTypeInfo         *type_info,

                                   GVariantSerialisedFiller  gvs_filler,

                                   const gpointer           *children,

                                   gsize                     n_children)

{

  gsize element_fixed_size;

  g_variant_type_info_query_element (type_info, NULL, &element_fixed_size);

  return element_fixed_size * n_children;

}

static void

gvs_fixed_sized_array_serialise (GVariantSerialised        value,

                                 GVariantSerialisedFiller  gvs_filler,

                                 const gpointer           *children,

                                 gsize                     n_children)

{

  GVariantSerialised child = { 0, };

  gsize i;

  child.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_query (child.type_info, NULL, &child.size);

  child.data = value.data;

  child.depth = value.depth + 1;

  for (i = 0; i < n_children; i++)

    {

      gvs_filler (&child, children[i]);

      child.data += child.size;

    }

}

static gboolean

gvs_fixed_sized_array_is_normal (GVariantSerialised value)

{

  GVariantSerialised child = { 0, };

  child.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_query (child.type_info, NULL, &child.size);

  child.depth = value.depth + 1;

  if (value.size % child.size != 0)

    return FALSE;

  for (child.data = value.data;

       child.data < value.data + value.size;

       child.data += child.size)

    {

      if (!g_variant_serialised_is_normal (child))

        return FALSE;

    }

  return TRUE;

}

/* Variable-sized Array {{{3

 *

 * Variable sized arrays, containing variable-sized elements, must be

 * able to determine the boundaries between the elements.  The items

 * cannot simply be concatenated.  Additionally, we are faced with the

 * fact that non-fixed-sized values do not necessarily have a size that

 * is a multiple of their alignment requirement, so we may need to

 * insert zero-filled padding.

 *

 * While it is possible to find the start of an item by starting from

 * the end of the item before it and padding for alignment, it is not

 * generally possible to do the reverse operation.  For this reason, we

 * record the end point of each element in the array.

 *

 * GVariant works in terms of "offsets".  An offset is a pointer to a

 * boundary between two bytes.  In 4 bytes of serialized data, there

 * would be 5 possible offsets: one at the start ('0'), one between each

 * pair of adjacent bytes ('1', '2', '3') and one at the end ('4').

 *

 * The numeric value of an offset is an unsigned integer given relative

 * to the start of the serialized data of the array.  Offsets are always

 * stored in little endian byte order and are always only as big as they

 * need to be.  For example, in 255 bytes of serialized data, there are

 * 256 offsets.  All possibilities can be stored in an 8 bit unsigned

 * integer.  In 256 bytes of serialized data, however, there are 257

 * possible offsets so 16 bit integers must be used.  The size of an

 * offset is always a power of 2.

 *

 * The offsets are stored at the end of the serialized data of the

 * array.  They are simply concatenated on without any particular

 * alignment.  The size of the offsets is included in the size of the

 * serialized data for purposes of determining the size of the offsets.

 * This presents a possibly ambiguity; in certain cases, a particular

 * value of array could have two different serialized forms.

 *

 * Imagine an array containing a single string of 253 bytes in length

 * (so, 254 bytes including the nul terminator).  Now the offset must be

 * written.  If an 8 bit offset is written, it will bring the size of

 * the array's serialized data to 255 -- which means that the use of an

 * 8 bit offset was valid.  If a 16 bit offset is used then the total

 * size of the array will be 256 -- which means that the use of a 16 bit

 * offset was valid.  Although both of these will be accepted by the

 * deserializer, only the smaller of the two is considered to be in

 * normal form and that is the one that the serializer must produce.

 */

/* bytes may be NULL if (size == 0). */

static inline gsize

gvs_read_unaligned_le (guchar *bytes,

                       guint   size)

{

  union

  {

    guchar bytes[GLIB_SIZEOF_SIZE_T];

    gsize integer;

  } tmpvalue;

  tmpvalue.integer = 0;

  if (bytes != NULL)

    memcpy (&tmpvalue.bytes, bytes, size);

  return GSIZE_FROM_LE (tmpvalue.integer);

}

static inline void

gvs_write_unaligned_le (guchar *bytes,

                        gsize   value,

                        guint   size)

{

  union

  {

    guchar bytes[GLIB_SIZEOF_SIZE_T];

    gsize integer;

  } tmpvalue;

  tmpvalue.integer = GSIZE_TO_LE (value);

  memcpy (bytes, &tmpvalue.bytes, size);

}

static guint

gvs_get_offset_size (gsize size)

{

  if (size > G_MAXUINT32)

    return 8;

  else if (size > G_MAXUINT16)

    return 4;

  else if (size > G_MAXUINT8)

    return 2;

  else if (size > 0)

    return 1;

  return 0;

}

static gsize

gvs_calculate_total_size (gsize body_size,

                          gsize offsets)

{

  if (body_size + 1 * offsets <= G_MAXUINT8)

    return body_size + 1 * offsets;

  if (body_size + 2 * offsets <= G_MAXUINT16)

    return body_size + 2 * offsets;

  if (body_size + 4 * offsets <= G_MAXUINT32)

    return body_size + 4 * offsets;

  return body_size + 8 * offsets;

}

struct Offsets

{

  gsize     data_size;

  guchar   *array;

  gsize     length;

  guint     offset_size;

  gboolean  is_normal;

};

static gsize

gvs_offsets_get_offset_n (struct Offsets *offsets,

                          gsize           n)

{

  return gvs_read_unaligned_le (

      offsets->array + (offsets->offset_size * n), offsets->offset_size);

}

static struct Offsets

gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)

{

  struct Offsets out = { 0, };

  gsize offsets_array_size;

  gsize last_end;

  if (value.size == 0)

    {

      out.is_normal = TRUE;

      return out;

    }

  out.offset_size = gvs_get_offset_size (value.size);

  last_end = gvs_read_unaligned_le (value.data + value.size - out.offset_size,

                                    out.offset_size);

  if (last_end > value.size)

    return out;  /* offsets not normal */

  offsets_array_size = value.size - last_end;

  if (offsets_array_size % out.offset_size)

    return out;  /* offsets not normal */

  out.data_size = last_end;

  out.array = value.data + last_end;

  out.length = offsets_array_size / out.offset_size;

  if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != value.size)

    return out;  /* offset size not minimal */

  out.is_normal = TRUE;

  return out;

}

static gsize

gvs_variable_sized_array_n_children (GVariantSerialised value)

{

  return gvs_variable_sized_array_get_frame_offsets (value).length;

}

/* Find the index of the first out-of-order element in @data, assuming that

 * @data is an array of elements of given @type, starting at index @start and

 * containing a further @len-@start elements. */

#define DEFINE_FIND_UNORDERED(type, le_to_native) \

  static gsize \

  find_unordered_##type (const guint8 *data, gsize start, gsize len) \

  { \

    gsize off; \

    type current_le, previous_le, current, previous; \

    \

    memcpy (&previous_le, data + start * sizeof (current), sizeof (current)); \

    previous = le_to_native (previous_le); \

    for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \

      { \

        memcpy (&current_le, data + off, sizeof (current)); \

        current = le_to_native (current_le); \

        if (current < previous) \

          break; \

        previous = current; \

      } \

    return off / sizeof (current) - 1; \

  }

Unexecuted instantiation: gvariant-serialiser.c:find_unordered_guint8

Unexecuted instantiation: gvariant-serialiser.c:find_unordered_guint16

Unexecuted instantiation: gvariant-serialiser.c:find_unordered_guint32

Unexecuted instantiation: gvariant-serialiser.c:find_unordered_guint64

#define NO_CONVERSION(x) (x)

DEFINE_FIND_UNORDERED (guint8, NO_CONVERSION);

DEFINE_FIND_UNORDERED (guint16, GUINT16_FROM_LE);

DEFINE_FIND_UNORDERED (guint32, GUINT32_FROM_LE);

DEFINE_FIND_UNORDERED (guint64, GUINT64_FROM_LE);

static GVariantSerialised

gvs_variable_sized_array_get_child (GVariantSerialised value,

                                    gsize              index_)

{

  GVariantSerialised child = { 0, };

  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);

  gsize start;

  gsize end;

  child.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_ref (child.type_info);

  child.depth = value.depth + 1;

  /* If the requested @index_ is beyond the set of indices whose framing offsets

   * have been checked, check the remaining offsets to see whether they’re

   * normal (in order, no overlapping array elements).

   *

   * Don’t bother checking if the highest known-good offset is lower than the

   * highest checked offset, as that means there’s an invalid element at that

   * index, so there’s no need to check further. */

  if (offsets.array != NULL &&

      index_ > value.checked_offsets_up_to &&

      value.ordered_offsets_up_to == value.checked_offsets_up_to)

    {

      switch (offsets.offset_size)

        {

        case 1:

          {

            value.ordered_offsets_up_to = find_unordered_guint8 (

                offsets.array, value.checked_offsets_up_to, index_ + 1);

            break;

          }

        case 2:

          {

            value.ordered_offsets_up_to = find_unordered_guint16 (

                offsets.array, value.checked_offsets_up_to, index_ + 1);

            break;

          }

        case 4:

          {

            value.ordered_offsets_up_to = find_unordered_guint32 (

                offsets.array, value.checked_offsets_up_to, index_ + 1);

            break;

          }

        case 8:

          {

            value.ordered_offsets_up_to = find_unordered_guint64 (

                offsets.array, value.checked_offsets_up_to, index_ + 1);

            break;

          }

        default:

          /* gvs_get_offset_size() only returns maximum 8 */

          g_assert_not_reached ();

        }

      value.checked_offsets_up_to = index_;

    }

  if (index_ > value.ordered_offsets_up_to)

    {

      /* Offsets are invalid somewhere, so return an empty child. */

      return child;

    }

  if (index_ > 0)

    {

      guint alignment;

      start = gvs_offsets_get_offset_n (&offsets, index_ - 1);

      g_variant_type_info_query (child.type_info, &alignment, NULL);

      start += (-start) & alignment;

    }

  else

    start = 0;

  end = gvs_offsets_get_offset_n (&offsets, index_);

  if (start < end && end <= value.size && end <= offsets.data_size)

    {

      child.data = value.data + start;

      child.size = end - start;

    }

  return child;

}

static gsize

gvs_variable_sized_array_needed_size (GVariantTypeInfo         *type_info,

                                      GVariantSerialisedFiller  gvs_filler,

                                      const gpointer           *children,

                                      gsize                     n_children)

{

  guint alignment;

  gsize offset;

  gsize i;

  g_variant_type_info_query (type_info, &alignment, NULL);

  offset = 0;

  for (i = 0; i < n_children; i++)

    {

      GVariantSerialised child = { 0, };

      offset += (-offset) & alignment;

      gvs_filler (&child, children[i]);

      offset += child.size;

    }

  return gvs_calculate_total_size (offset, n_children);

}

static void

gvs_variable_sized_array_serialise (GVariantSerialised        value,

                                    GVariantSerialisedFiller  gvs_filler,

                                    const gpointer           *children,

                                    gsize                     n_children)

{

  guchar *offset_ptr;

  gsize offset_size;

  guint alignment;

  gsize offset;

  gsize i;

  g_variant_type_info_query (value.type_info, &alignment, NULL);

  offset_size = gvs_get_offset_size (value.size);

  offset = 0;

  offset_ptr = value.data + value.size - offset_size * n_children;

  for (i = 0; i < n_children; i++)

    {

      GVariantSerialised child = { 0, };

      while (offset & alignment)

        value.data[offset++] = '\0';

      child.data = value.data + offset;

      gvs_filler (&child, children[i]);

      offset += child.size;

      gvs_write_unaligned_le (offset_ptr, offset, offset_size);

      offset_ptr += offset_size;

    }

}

static gboolean

gvs_variable_sized_array_is_normal (GVariantSerialised value)

{

  GVariantSerialised child = { 0, };

  guint alignment;

  gsize offset;

  gsize i;

  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);

  if (!offsets.is_normal)

    return FALSE;

  if (value.size != 0 && offsets.length == 0)

    return FALSE;

  child.type_info = g_variant_type_info_element (value.type_info);

  g_variant_type_info_query (child.type_info, &alignment, NULL);

  child.depth = value.depth + 1;

  offset = 0;

  for (i = 0; i < offsets.length; i++)

    {

      gsize this_end;

      this_end = gvs_read_unaligned_le (offsets.array + offsets.offset_size * i,

                                        offsets.offset_size);

      if (this_end < offset || this_end > offsets.data_size)

        return FALSE;

      while (offset & alignment)

        {

          if (!(offset < this_end && value.data[offset] == '\0'))

            return FALSE;

          offset++;

        }

      child.data = value.data + offset;

      child.size = this_end - offset;

      if (child.size == 0)

        child.data = NULL;

      if (!g_variant_serialised_is_normal (child))

        return FALSE;

      offset = this_end;

    }

  g_assert (offset == offsets.data_size);

  /* All offsets have now been checked. */

  value.ordered_offsets_up_to = G_MAXSIZE;

  value.checked_offsets_up_to = G_MAXSIZE;

  return TRUE;

}

/* Tuples {{{2

 *

 * Since tuples can contain a mix of variable- and fixed-sized items,

 * they are, in terms of serialization, a hybrid of variable-sized and

 * fixed-sized arrays.

 *

 * Offsets are only stored for variable-sized items.  Also, since the

 * number of items in a tuple is known from its type, we are able to

 * know exactly how many offsets to expect in the serialized data (and

 * therefore how much space is taken up by the offset array).  This

 * means that we know where the end of the serialized data for the last

 * item is -- we can just subtract the size of the offset array from the

 * total size of the tuple.  For this reason, the last item in the tuple

 * doesn't need an offset stored.

 *

 * Tuple offsets are stored in reverse.  This design choice allows

 * iterator-based deserializers to be more efficient.

 *

 * Most of the "heavy lifting" here is handled by the GVariantTypeInfo

 * for the tuple.  See the notes in gvarianttypeinfo.h.

 */

/* Note: This doesn’t guarantee that @out_member_end >= @out_member_start; that

 * condition may not hold true for invalid serialised variants. The caller is

 * responsible for checking the returned values and handling invalid ones

 * appropriately. */

static void

gvs_tuple_get_member_bounds (GVariantSerialised  value,

                             gsize               index_,

                             gsize               offset_size,

                             gsize              *out_member_start,

                             gsize              *out_member_end)