Line | Count | Source (jump to first uncovered line) |
1 | | /* xsize.h -- Checked size_t computations. |
2 | | |
3 | | Copyright (C) 2003, 2008-2025 Free Software Foundation, Inc. |
4 | | |
5 | | This file is free software: you can redistribute it and/or modify |
6 | | it under the terms of the GNU Lesser General Public License as |
7 | | published by the Free Software Foundation; either version 2.1 of the |
8 | | License, or (at your option) any later version. |
9 | | |
10 | | This file is distributed in the hope that it will be useful, |
11 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | | GNU Lesser General Public License for more details. |
14 | | |
15 | | You should have received a copy of the GNU Lesser General Public License |
16 | | along with this program. If not, see <https://www.gnu.org/licenses/>. */ |
17 | | |
18 | | #ifndef _XSIZE_H |
19 | | #define _XSIZE_H |
20 | | |
21 | | /* This file uses _GL_INLINE_HEADER_BEGIN, _GL_INLINE, HAVE_STDINT_H. */ |
22 | | #if !_GL_CONFIG_H_INCLUDED |
23 | | #error "Please include config.h first." |
24 | | #endif |
25 | | |
26 | | /* Get size_t. */ |
27 | | #include <stddef.h> |
28 | | |
29 | | /* Get INT_MAX, SIZE_MAX. */ |
30 | | #include <limits.h> |
31 | | #if HAVE_STDINT_H |
32 | | # include <stdint.h> |
33 | | #endif |
34 | | |
35 | | /* Get ATTRIBUTE_PURE. */ |
36 | | #include "attribute.h" |
37 | | |
38 | | _GL_INLINE_HEADER_BEGIN |
39 | | #ifndef XSIZE_INLINE |
40 | | # define XSIZE_INLINE _GL_INLINE |
41 | | #endif |
42 | | |
43 | | #ifdef __cplusplus |
44 | | extern "C" { |
45 | | #endif |
46 | | |
47 | | |
48 | | /* The size of memory objects is often computed through expressions of |
49 | | type size_t. Example: |
50 | | void* p = malloc (header_size + n * element_size). |
51 | | These computations can lead to overflow. When this happens, malloc() |
52 | | returns a piece of memory that is way too small, and the program then |
53 | | crashes while attempting to fill the memory. |
54 | | To avoid this, the functions and macros in this file check for overflow. |
55 | | The convention is that SIZE_MAX represents overflow. |
56 | | malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc |
57 | | implementation that uses mmap --, it's recommended to use size_overflow_p() |
58 | | or size_in_bounds_p() before invoking malloc(). |
59 | | The example thus becomes: |
60 | | size_t size = xsum (header_size, xtimes (n, element_size)); |
61 | | void *p = (size_in_bounds_p (size) ? malloc (size) : NULL); |
62 | | */ |
63 | | |
64 | | /* Convert an arbitrary N >= 0 to type size_t. |
65 | | N should not have side effects. */ |
66 | | #define xcast_size_t(N) \ |
67 | | ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX) |
68 | | |
69 | | /* Sum of two sizes, with overflow check. */ |
70 | | XSIZE_INLINE size_t ATTRIBUTE_PURE |
71 | | xsum (size_t size1, size_t size2) |
72 | 0 | { |
73 | 0 | if (INT_MAX < SIZE_MAX) |
74 | 0 | { |
75 | | /* Optimize for the common case where size_t arithmetic wraps |
76 | | around without undefined behavior. */ |
77 | 0 | size_t sum = size1 + size2; |
78 | 0 | return size1 <= sum ? sum : SIZE_MAX; |
79 | 0 | } |
80 | | |
81 | 0 | return size1 <= SIZE_MAX - size2 ? size1 + size2 : SIZE_MAX; |
82 | 0 | } |
83 | | |
84 | | /* Sum of three sizes, with overflow check. */ |
85 | | XSIZE_INLINE size_t ATTRIBUTE_PURE |
86 | | xsum3 (size_t size1, size_t size2, size_t size3) |
87 | 0 | { |
88 | 0 | return xsum (xsum (size1, size2), size3); |
89 | 0 | } |
90 | | |
91 | | /* Sum of four sizes, with overflow check. */ |
92 | | XSIZE_INLINE size_t ATTRIBUTE_PURE |
93 | | xsum4 (size_t size1, size_t size2, size_t size3, size_t size4) |
94 | 0 | { |
95 | 0 | return xsum (xsum (xsum (size1, size2), size3), size4); |
96 | 0 | } |
97 | | |
98 | | /* Maximum of two sizes, with overflow check. */ |
99 | | XSIZE_INLINE size_t ATTRIBUTE_PURE |
100 | | xmax (size_t size1, size_t size2) |
101 | 0 | { |
102 | 0 | /* No explicit check is needed here, because for any n: |
103 | 0 | max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX. */ |
104 | 0 | return (size1 >= size2 ? size1 : size2); |
105 | 0 | } |
106 | | |
107 | | /* Multiplication of a count with an element size, with overflow check. |
108 | | The count must be >= 0 and the element size must be > 0. |
109 | | Arguments should not have side effects. |
110 | | The element size's type should be no wider than size_t. |
111 | | This is a macro, not a function, so that it works correctly even |
112 | | when N is of a wider type and N > SIZE_MAX. */ |
113 | | #define xtimes(N, ELSIZE) \ |
114 | | ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX) |
115 | | |
116 | | /* Check for overflow. */ |
117 | | #define size_overflow_p(SIZE) \ |
118 | 0 | ((SIZE) == SIZE_MAX) |
119 | | /* Check against overflow. */ |
120 | | #define size_in_bounds_p(SIZE) \ |
121 | | ((SIZE) != SIZE_MAX) |
122 | | |
123 | | |
124 | | #ifdef __cplusplus |
125 | | } |
126 | | #endif |
127 | | |
128 | | _GL_INLINE_HEADER_END |
129 | | |
130 | | #endif /* _XSIZE_H */ |