Coverage Report

Created: 2025-03-06 07:58

/src/gnutls/gl/xsize.h
Line
Count
Source (jump to first uncovered line)
1
/* xsize.h -- Checked size_t computations.
2
3
   Copyright (C) 2003, 2008-2025 Free Software Foundation, Inc.
4
5
   This file is free software: you can redistribute it and/or modify
6
   it under the terms of the GNU Lesser General Public License as
7
   published by the Free Software Foundation; either version 2.1 of the
8
   License, or (at your option) any later version.
9
10
   This file is distributed in the hope that it will be useful,
11
   but WITHOUT ANY WARRANTY; without even the implied warranty of
12
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13
   GNU Lesser General Public License for more details.
14
15
   You should have received a copy of the GNU Lesser General Public License
16
   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
17
18
#ifndef _XSIZE_H
19
#define _XSIZE_H
20
21
/* This file uses _GL_INLINE_HEADER_BEGIN, _GL_INLINE, HAVE_STDINT_H.  */
22
#if !_GL_CONFIG_H_INCLUDED
23
 #error "Please include config.h first."
24
#endif
25
26
/* Get size_t.  */
27
#include <stddef.h>
28
29
/* Get INT_MAX, SIZE_MAX.  */
30
#include <limits.h>
31
#if HAVE_STDINT_H
32
# include <stdint.h>
33
#endif
34
35
/* Get ATTRIBUTE_PURE.  */
36
#include "attribute.h"
37
38
_GL_INLINE_HEADER_BEGIN
39
#ifndef XSIZE_INLINE
40
# define XSIZE_INLINE _GL_INLINE
41
#endif
42
43
#ifdef __cplusplus
44
extern "C" {
45
#endif
46
47
48
/* The size of memory objects is often computed through expressions of
49
   type size_t. Example:
50
      void* p = malloc (header_size + n * element_size).
51
   These computations can lead to overflow.  When this happens, malloc()
52
   returns a piece of memory that is way too small, and the program then
53
   crashes while attempting to fill the memory.
54
   To avoid this, the functions and macros in this file check for overflow.
55
   The convention is that SIZE_MAX represents overflow.
56
   malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
57
   implementation that uses mmap --, it's recommended to use size_overflow_p()
58
   or size_in_bounds_p() before invoking malloc().
59
   The example thus becomes:
60
      size_t size = xsum (header_size, xtimes (n, element_size));
61
      void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
62
*/
63
64
/* Convert an arbitrary N >= 0 to type size_t.
65
   N should not have side effects.  */
66
#define xcast_size_t(N) \
67
  ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
68
69
/* Sum of two sizes, with overflow check.  */
70
XSIZE_INLINE size_t ATTRIBUTE_PURE
71
xsum (size_t size1, size_t size2)
72
0
{
73
0
  if (INT_MAX < SIZE_MAX)
74
0
    {
75
      /* Optimize for the common case where size_t arithmetic wraps
76
         around without undefined behavior.  */
77
0
      size_t sum = size1 + size2;
78
0
      return size1 <= sum ? sum : SIZE_MAX;
79
0
    }
80
81
0
  return size1 <= SIZE_MAX - size2 ? size1 + size2 : SIZE_MAX;
82
0
}
83
84
/* Sum of three sizes, with overflow check.  */
85
XSIZE_INLINE size_t ATTRIBUTE_PURE
86
xsum3 (size_t size1, size_t size2, size_t size3)
87
0
{
88
0
  return xsum (xsum (size1, size2), size3);
89
0
}
90
91
/* Sum of four sizes, with overflow check.  */
92
XSIZE_INLINE size_t ATTRIBUTE_PURE
93
xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
94
0
{
95
0
  return xsum (xsum (xsum (size1, size2), size3), size4);
96
0
}
97
98
/* Maximum of two sizes, with overflow check.  */
99
XSIZE_INLINE size_t ATTRIBUTE_PURE
100
xmax (size_t size1, size_t size2)
101
0
{
102
0
  /* No explicit check is needed here, because for any n:
103
0
     max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX.  */
104
0
  return (size1 >= size2 ? size1 : size2);
105
0
}
106
107
/* Multiplication of a count with an element size, with overflow check.
108
   The count must be >= 0 and the element size must be > 0.
109
   Arguments should not have side effects.
110
   The element size's type should be no wider than size_t.
111
   This is a macro, not a function, so that it works correctly even
112
   when N is of a wider type and N > SIZE_MAX.  */
113
#define xtimes(N, ELSIZE) \
114
  ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
115
116
/* Check for overflow.  */
117
#define size_overflow_p(SIZE) \
118
0
  ((SIZE) == SIZE_MAX)
119
/* Check against overflow.  */
120
#define size_in_bounds_p(SIZE) \
121
  ((SIZE) != SIZE_MAX)
122
123
124
#ifdef __cplusplus
125
}
126
#endif
127
128
_GL_INLINE_HEADER_END
129
130
#endif /* _XSIZE_H */