2 * Copyright Patrick Powell 1995
4 * This code is based on code written by Patrick Powell
5 * (papowell@astart.com) It may be used for any purpose as long
6 * as this notice remains intact on all source code distributions.
8 * Adapted for Bacula -- note there were lots of bugs in
9 * the original code: %lld and %s were seriously broken, and
10 * with FP turned off %f seg faulted.
12 * Kern Sibbald, November MMV
19 #define FP_OUTPUT 1 /* Bacula uses floating point */
20 /* Define the following if you want all the features of
21 * normal printf, but with all the security problems.
22 * For Bacula we turn this off, and it silently ignores
23 * formats that could pose a security problem.
25 #undef SECURITY_PROBLEM
29 #ifdef HAVE_LONG_DOUBLE
30 #define LDOUBLE long double
32 #define LDOUBLE double
35 int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args);
36 static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen,
37 char *value, int flags, int min, int max);
38 static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen,
39 int64_t value, int base, int min, int max, int flags);
45 static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen,
46 LDOUBLE fvalue, int min, int max, int flags);
48 #define fmtfp(b, c, m, f, min, max, fl) currlen
51 #define outch(c) {int len=currlen; if (currlen++ < maxlen) { buffer[len] = (c);}}
54 /* format read states */
55 #define DP_S_DEFAULT 0
64 /* format flags - Bits */
65 #define DP_F_MINUS (1 << 0)
66 #define DP_F_PLUS (1 << 1)
67 #define DP_F_SPACE (1 << 2)
68 #define DP_F_NUM (1 << 3)
69 #define DP_F_ZERO (1 << 4)
70 #define DP_F_UP (1 << 5)
71 #define DP_F_UNSIGNED (1 << 6)
72 #define DP_F_DOT (1 << 7)
74 /* Conversion Flags */
77 #define DP_C_LDOUBLE 3
80 #define char_to_int(p) ((p)- '0')
82 #define MAX(p,q) (((p) >= (q)) ? (p) : (q))
85 You might ask why does Bacula have it's own printf routine? Well,
86 There are two reasons: 1. Here (as opposed to library routines), we
87 define %d and %ld to be 32 bit; %lld and %q to be 64 bit. 2. We
88 disable %n for security reasons.
91 int bsnprintf(char *str, int32_t size, const char *fmt, ...)
96 va_start(arg_ptr, fmt);
97 len = bvsnprintf(str, size, fmt, arg_ptr);
103 int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args)
119 state = DP_S_DEFAULT;
120 currlen = flags = cflags = min = 0;
125 while (state != DP_S_DONE) {
126 if ((ch == '\0') || (currlen >= maxlen))
166 if (isdigit((unsigned char)ch)) {
167 min = 10 * min + char_to_int(ch);
169 } else if (ch == '*') {
170 min = va_arg(args, int);
185 if (isdigit((unsigned char)ch)) {
188 max = 10 * max + char_to_int(ch);
190 } else if (ch == '*') {
191 max = va_arg(args, int);
206 if (ch == 'l') { /* It's a long long */
212 cflags = DP_C_LDOUBLE;
215 case 'q': /* same as long long */
228 if (cflags == DP_C_INT16) {
229 value = va_arg(args, int32_t);
230 } else if (cflags == DP_C_INT32) {
231 value = va_arg(args, int32_t);
232 } else if (cflags == DP_C_INT64) {
233 value = va_arg(args, int64_t);
235 value = va_arg(args, int);
237 currlen = fmtint(buffer, currlen, maxlen, value, 10, min, max, flags);
245 } else if (ch == 'x') {
247 } else if (ch == 'X') {
253 flags |= DP_F_UNSIGNED;
254 if (cflags == DP_C_INT16) {
255 value = va_arg(args, uint32_t);
256 } else if (cflags == DP_C_INT32) {
257 value = (long)va_arg(args, uint32_t);
258 } else if (cflags == DP_C_INT64) {
259 value = (int64_t) va_arg(args, uint64_t);
261 value = (long)va_arg(args, unsigned int);
263 currlen = fmtint(buffer, currlen, maxlen, value, base, min, max, flags);
266 if (cflags == DP_C_LDOUBLE) {
267 fvalue = va_arg(args, LDOUBLE);
269 fvalue = va_arg(args, double);
271 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
276 if (cflags == DP_C_LDOUBLE) {
277 fvalue = va_arg(args, LDOUBLE);
279 fvalue = va_arg(args, double);
281 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
286 if (cflags == DP_C_LDOUBLE) {
287 fvalue = va_arg(args, LDOUBLE);
289 fvalue = va_arg(args, double);
291 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
294 outch(va_arg(args, int));
297 strvalue = va_arg(args, char *);
298 currlen = fmtstr(buffer, currlen, maxlen, strvalue, flags, min, max);
301 strvalue = va_arg(args, char *);
302 currlen = fmtint(buffer, currlen, maxlen, (long)strvalue, 16, min, max, flags);
305 if (cflags == DP_C_INT16) {
307 num = va_arg(args, int16_t *);
308 #ifdef SECURITY_PROBLEM
311 } else if (cflags == DP_C_INT32) {
313 num = va_arg(args, int32_t *);
314 #ifdef SECURITY_PROBLEM
315 *num = (int32_t)currlen;
317 } else if (cflags == DP_C_INT64) {
319 num = va_arg(args, int64_t *);
320 #ifdef SECURITY_PROBLEM
321 *num = (int64_t)currlen;
325 num = va_arg(args, int32_t *);
326 #ifdef SECURITY_PROBLEM
327 *num = (int32_t)currlen;
335 /* not supported yet, treat as next char */
343 state = DP_S_DEFAULT;
344 flags = cflags = min = 0;
351 break; /* some picky compilers need this */
354 if (currlen < maxlen - 1) {
355 buffer[currlen] = '\0';
357 buffer[maxlen - 1] = '\0';
362 static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen,
363 char *value, int flags, int min, int max)
365 int padlen, strln; /* amount to pad */
372 if (flags & DP_F_DOT && max < 0) { /* Max not specified */
374 } else if (max < 0) {
377 strln = strlen(value);
379 strln = max; /* truncate to max */
381 padlen = min - strln;
385 if (flags & DP_F_MINUS) {
386 padlen = -padlen; /* Left Justify */
393 while (*value && (cnt < max)) {
404 /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
406 static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen,
407 int64_t value, int base, int min, int max, int flags)
413 int spadlen = 0; /* amount to space pad */
414 int zpadlen = 0; /* amount to zero pad */
423 if (!(flags & DP_F_UNSIGNED)) {
427 } else if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
429 } else if (flags & DP_F_SPACE) {
434 if (flags & DP_F_UP) {
435 caps = 1; /* Should characters be upper case? */
439 convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")
440 [uvalue % (unsigned)base];
441 uvalue = (uvalue / (unsigned)base);
442 } while (uvalue && (place < 20));
448 zpadlen = max - place;
449 spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
454 if (flags & DP_F_ZERO) {
455 zpadlen = MAX(zpadlen, spadlen);
458 if (flags & DP_F_MINUS)
459 spadlen = -spadlen; /* Left Justifty */
461 #ifdef DEBUG_SNPRINTF
462 printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
463 zpadlen, spadlen, min, max, place);
467 while (spadlen > 0) {
479 while (zpadlen > 0) {
487 outch(convert[--place]);
490 /* Left Justified spaces */
491 while (spadlen < 0) {
500 static LDOUBLE abs_val(LDOUBLE value)
502 LDOUBLE result = value;
510 static LDOUBLE pow10(int exp)
522 static long round(LDOUBLE value)
526 intpart = (long)value;
527 value = value - intpart;
534 static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen,
535 LDOUBLE fvalue, int min, int max, int flags)
548 extern char *fcvt(double value, int ndigit, int *decpt, int *sign);
552 int padlen = 0; /* amount to pad */
559 * AIX manpage says the default is 0, but Solaris says the default
560 * is 6, and sprintf on AIX defaults to 6
565 ufvalue = abs_val(fvalue);
569 else if (flags & DP_F_PLUS) /* Do a sign (+/i) */
571 else if (flags & DP_F_SPACE)
576 caps = 1; /* Should characters be upper case? */
580 intpart = (long)ufvalue;
583 * Sorry, we only support 9 digits past the decimal because of our
589 /* We "cheat" by converting the fractional part to integer by
590 * multiplying by a factor of 10
592 fracpart = round((pow10(max)) * (ufvalue - intpart));
594 if (fracpart >= pow10(max)) {
596 fracpart -= (int64_t)pow10(max);
598 #ifdef DEBUG_SNPRINTF
599 printf("fmtfp: %g %d.%d min=%d max=%d\n",
600 (double)fvalue, intpart, fracpart, min, max);
603 /* Convert integer part */
606 (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10];
607 intpart = (intpart / 10);
608 } while (intpart && (iplace < 20));
611 iconvert[iplace] = 0;
613 /* Convert fractional part */
616 (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10];
617 fracpart = (fracpart / 10);
618 } while (fracpart && (fplace < 20));
621 fconvert[fplace] = 0;
622 #else /* use fcvt() */
626 result = fcvtl(ufvalue, max, &dec_pt, &sig);
628 result = fcvt(ufvalue, max, &dec_pt, &sig);
631 r_length = strlen(result);
634 * Fix broken fcvt implementation returns..
643 if (r_length < dec_pt)
654 fconvert[fplace++] = result[--r_length];
656 while ((dec_pt < 0) && (fplace < max)) {
657 fconvert[fplace++] = '0';
664 for (c = dec_pt; c; iconvert[iplace++] = result[--c]);
665 iconvert[iplace] = '\0';
670 for (c = (r_length - dec_pt); c; fconvert[fplace++] = result[--c]);
672 #endif /* HAVE_FCVT */
674 /* -1 for decimal point, another -1 if we are printing a sign */
675 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
676 zpadlen = max - fplace;
683 if (flags & DP_F_MINUS) {
684 padlen = -padlen; /* Left Justifty */
687 if ((flags & DP_F_ZERO) && (padlen > 0)) {
707 outch(iconvert[--iplace]);
711 #ifdef DEBUG_SNPRINTF
712 printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
716 * Decimal point. This should probably use locale to find the correct
722 outch(fconvert[--fplace]);
726 while (zpadlen > 0) {
737 #endif /* FP_OUTPUT */
743 #define LONG_STRING 1024
747 char buf1[LONG_STRING];
748 char buf2[LONG_STRING];
767 double fp_nums[] = { -1.5, 134.21, 91340.2, 341.1234, 0203.9, 0.96, 0.996,
768 0.9996, 1.996, 4.136, 6442452944.1234, 0
792 long int_nums[] = { -1, 134, 91340, 341, 0203, 0 };
806 int64_t ll_nums[] = { -1976, 789134567890LL, 91340, 34123, 0203, 0 };
824 char *s_nums[] = { "abc", "def", "ghi", "123", "4567", "a", "bb", "ccccccc", NULL};
831 printf("Testing snprintf format codes against system sprintf...\n");
834 for (x = 0; fp_fmt[x] != NULL; x++)
835 for (y = 0; fp_nums[y] != 0; y++) {
836 bsnprintf(buf1, sizeof(buf1), fp_fmt[x], fp_nums[y]);
837 sprintf(buf2, fp_fmt[x], fp_nums[y]);
838 if (strcmp(buf1, buf2)) {
840 ("snprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
841 fp_fmt[x], buf1, buf2);
848 for (x = 0; int_fmt[x] != NULL; x++)
849 for (y = 0; int_nums[y] != 0; y++) {
851 bcount = bsnprintf(buf1, sizeof(buf1), int_fmt[x], int_nums[y]);
852 printf("%s\n", buf1);
853 pcount = sprintf(buf2, int_fmt[x], int_nums[y]);
854 if (bcount != pcount) {
855 printf("bsnprintf count %d doesn't match sprintf count %d\n",
858 if (strcmp(buf1, buf2)) {
860 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
861 int_fmt[x], buf1, buf2);
867 for (x = 0; ll_fmt[x] != NULL; x++) {
868 for (y = 0; ll_nums[y] != 0; y++) {
870 bcount = bsnprintf(buf1, sizeof(buf1), ll_fmt[x], ll_nums[y]);
871 printf("%s\n", buf1);
872 pcount = sprintf(buf2, ll_fmt[x], ll_nums[y]);
873 if (bcount != pcount) {
874 printf("bsnprintf count %d doesn't match sprintf count %d\n",
877 if (strcmp(buf1, buf2)) {
879 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
880 ll_fmt[x], buf1, buf2);
887 for (x = 0; s_fmt[x] != NULL; x++) {
888 for (y = 0; s_nums[y] != 0; y++) {
890 bcount = bsnprintf(buf1, sizeof(buf1), s_fmt[x], s_nums[y]);
891 printf("%s\n", buf1);
892 pcount = sprintf(buf2, s_fmt[x], s_nums[y]);
893 if (bcount != pcount) {
894 printf("bsnprintf count %d doesn't match sprintf count %d\n",
897 if (strcmp(buf1, buf2)) {
899 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
900 s_fmt[x], buf1, buf2);
908 printf("%d tests failed out of %d.\n", fail, num);
910 #endif /* TEST_PROGRAM */
912 #endif /* USE_BSNPRINTF */