/src/gnutls/gl/xsize.h

Source (jump to first uncovered line)
/* xsize.h -- Checked size_t computations.

   Copyright (C) 2003, 2008-2023 Free Software Foundation, Inc.

   This file is free software: you can redistribute it and/or modify
   it under the terms of the GNU Lesser General Public License as
   published by the Free Software Foundation; either version 2.1 of the
   License, or (at your option) any later version.

   This file is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public License
   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */

#ifndef _XSIZE_H
#define _XSIZE_H

/* Get size_t.  */
#include <stddef.h>

/* Get SIZE_MAX.  */
#include <limits.h>
#if HAVE_STDINT_H
# include <stdint.h>
#endif

/* Get ATTRIBUTE_PURE.  */
#include "attribute.h"

#ifndef _GL_INLINE_HEADER_BEGIN
 #error "Please include config.h first."
#endif
_GL_INLINE_HEADER_BEGIN
#ifndef XSIZE_INLINE
# define XSIZE_INLINE _GL_INLINE
#endif

/* The size of memory objects is often computed through expressions of
   type size_t. Example:
      void* p = malloc (header_size + n * element_size).
   These computations can lead to overflow.  When this happens, malloc()
   returns a piece of memory that is way too small, and the program then
   crashes while attempting to fill the memory.
   To avoid this, the functions and macros in this file check for overflow.
   The convention is that SIZE_MAX represents overflow.
   malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
   implementation that uses mmap --, it's recommended to use size_overflow_p()
   or size_in_bounds_p() before invoking malloc().
   The example thus becomes:
      size_t size = xsum (header_size, xtimes (n, element_size));
      void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
*/

/* Convert an arbitrary value >= 0 to type size_t.  */
#define xcast_size_t(N) \
  ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)

/* Sum of two sizes, with overflow check.  */
XSIZE_INLINE size_t ATTRIBUTE_PURE
xsum (size_t size1, size_t size2)
{
  size_t sum = size1 + size2;
  return (sum >= size1 ? sum : SIZE_MAX);
}

/* Sum of three sizes, with overflow check.  */
XSIZE_INLINE size_t ATTRIBUTE_PURE
xsum3 (size_t size1, size_t size2, size_t size3)
{
  return xsum (xsum (size1, size2), size3);
}

/* Sum of four sizes, with overflow check.  */
XSIZE_INLINE size_t ATTRIBUTE_PURE
xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
{
  return xsum (xsum (xsum (size1, size2), size3), size4);
}

/* Maximum of two sizes, with overflow check.  */
XSIZE_INLINE size_t ATTRIBUTE_PURE
xmax (size_t size1, size_t size2)
{
  /* No explicit check is needed here, because for any n:
     max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX.  */
  return (size1 >= size2 ? size1 : size2);
}

/* Multiplication of a count with an element size, with overflow check.
   The count must be >= 0 and the element size must be > 0.
   This is a macro, not a function, so that it works correctly even
   when N is of a wider type and N > SIZE_MAX.  */
#define xtimes(N, ELSIZE) \
  ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)

/* Check for overflow.  */
#define size_overflow_p(SIZE) \
  ((SIZE) == SIZE_MAX)
/* Check against overflow.  */
#define size_in_bounds_p(SIZE) \
  ((SIZE) != SIZE_MAX)

_GL_INLINE_HEADER_END

#endif /* _XSIZE_H */

Line	Count	Source (jump to first uncovered line)
1		/* xsize.h -- Checked size_t computations.
2
3		Copyright (C) 2003, 2008-2023 Free Software Foundation, Inc.
4
5		This file is free software: you can redistribute it and/or modify
6		it under the terms of the GNU Lesser General Public License as
7		published by the Free Software Foundation; either version 2.1 of the
8		License, or (at your option) any later version.
9
10		This file is distributed in the hope that it will be useful,
11		but WITHOUT ANY WARRANTY; without even the implied warranty of
12		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		GNU Lesser General Public License for more details.
14
15		You should have received a copy of the GNU Lesser General Public License
16		along with this program. If not, see <https://www.gnu.org/licenses/>. */
17
18		#ifndef _XSIZE_H
19		#define _XSIZE_H
20
21		/* Get size_t. */
22		#include <stddef.h>
23
24		/* Get SIZE_MAX. */
25		#include <limits.h>
26		#if HAVE_STDINT_H
27		# include <stdint.h>
28		#endif
29
30		/* Get ATTRIBUTE_PURE. */
31		#include "attribute.h"
32
33		#ifndef _GL_INLINE_HEADER_BEGIN
34		#error "Please include config.h first."
35		#endif
36		_GL_INLINE_HEADER_BEGIN
37		#ifndef XSIZE_INLINE
38		# define XSIZE_INLINE _GL_INLINE
39		#endif
40
41		/* The size of memory objects is often computed through expressions of
42		type size_t. Example:
43		void* p = malloc (header_size + n * element_size).
44		These computations can lead to overflow. When this happens, malloc()
45		returns a piece of memory that is way too small, and the program then
46		crashes while attempting to fill the memory.
47		To avoid this, the functions and macros in this file check for overflow.
48		The convention is that SIZE_MAX represents overflow.
49		malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
50		implementation that uses mmap --, it's recommended to use size_overflow_p()
51		or size_in_bounds_p() before invoking malloc().
52		The example thus becomes:
53		size_t size = xsum (header_size, xtimes (n, element_size));
54		void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
55		*/
56
57		/* Convert an arbitrary value >= 0 to type size_t. */
58		#define xcast_size_t(N) \
59		((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
60
61		/* Sum of two sizes, with overflow check. */
62		XSIZE_INLINE size_t ATTRIBUTE_PURE
63		xsum (size_t size1, size_t size2)
64		{
65		size_t sum = size1 + size2;
66		return (sum >= size1 ? sum : SIZE_MAX);
67		}
68
69		/* Sum of three sizes, with overflow check. */
70		XSIZE_INLINE size_t ATTRIBUTE_PURE
71		xsum3 (size_t size1, size_t size2, size_t size3)
72		{
73		return xsum (xsum (size1, size2), size3);
74		}
75
76		/* Sum of four sizes, with overflow check. */
77		XSIZE_INLINE size_t ATTRIBUTE_PURE
78		xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
79		{
80		return xsum (xsum (xsum (size1, size2), size3), size4);
81		}
82
83		/* Maximum of two sizes, with overflow check. */
84		XSIZE_INLINE size_t ATTRIBUTE_PURE
85		xmax (size_t size1, size_t size2)
86		{
87		/* No explicit check is needed here, because for any n:
88		max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX. */
89		return (size1 >= size2 ? size1 : size2);
90		}
91
92		/* Multiplication of a count with an element size, with overflow check.
93		The count must be >= 0 and the element size must be > 0.
94		This is a macro, not a function, so that it works correctly even
95		when N is of a wider type and N > SIZE_MAX. */
96		#define xtimes(N, ELSIZE) \
97		((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
98
99		/* Check for overflow. */
100		#define size_overflow_p(SIZE) \
101	0	((SIZE) == SIZE_MAX)
102		/* Check against overflow. */
103		#define size_in_bounds_p(SIZE) \
104		((SIZE) != SIZE_MAX)
105
106		_GL_INLINE_HEADER_END
107
108		#endif /* _XSIZE_H */

Coverage Report

Created: 2023-03-26 08:33