2 * Copyright Patrick Powell 1995
4 * This code is based on code written by Patrick Powell
5 * (papowell@astart.com) It may be used for any purpose as long
6 * as this notice remains intact on all source code distributions.
8 * Adapted for Bacula -- note there were lots of bugs in
9 * the original code: %lld and %s were seriously broken, and
10 * with FP turned off %f seg faulted.
12 * Kern Sibbald, November MMV
19 #define FP_OUTPUT 1 /* Bacula uses floating point */
20 /* Define the following if you want all the features of
21 * normal printf, but with all the security problems.
22 * For Bacula we turn this off, and it silently ignores
23 * formats that could pose a security problem.
25 #undef SECURITY_PROBLEM
29 #ifdef HAVE_LONG_DOUBLE
30 #define LDOUBLE long double
32 #define LDOUBLE double
35 int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args);
36 static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen,
37 char *value, int flags, int min, int max);
38 static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen,
39 int64_t value, int base, int min, int max, int flags);
45 static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen,
46 LDOUBLE fvalue, int min, int max, int flags);
48 #define fmtfp(b, c, m, f, min, max, fl) currlen
51 #define outch(c) {int len=currlen; if (currlen++ < maxlen) { buffer[len] = (c);}}
54 /* format read states */
55 #define DP_S_DEFAULT 0
64 /* format flags - Bits */
65 #define DP_F_MINUS (1 << 0)
66 #define DP_F_PLUS (1 << 1)
67 #define DP_F_SPACE (1 << 2)
68 #define DP_F_NUM (1 << 3)
69 #define DP_F_ZERO (1 << 4)
70 #define DP_F_UP (1 << 5)
71 #define DP_F_UNSIGNED (1 << 6)
72 #define DP_F_DOT (1 << 7)
74 /* Conversion Flags */
77 #define DP_C_LDOUBLE 3
80 #define char_to_int(p) ((p)- '0')
82 #define MAX(p,q) (((p) >= (q)) ? (p) : (q))
85 You might ask why does Bacula have it's own printf routine? Well,
86 There are two reasons: 1. Here (as opposed to library routines), we
87 define %d and %ld to be 32 bit; %lld and %q to be 64 bit. 2. We
88 disable %n for security reasons.
91 int bsnprintf(char *str, int32_t size, const char *fmt, ...)
96 va_start(arg_ptr, fmt);
97 len = bvsnprintf(str, size, fmt, arg_ptr);
103 int bvsnprintf(char *buffer, int32_t maxlen, const char *format, va_list args)
120 state = DP_S_DEFAULT;
121 currlen = flags = cflags = min = 0;
126 while (state != DP_S_DONE) {
127 if ((ch == '\0') || (currlen >= maxlen))
167 if (isdigit((unsigned char)ch)) {
168 min = 10 * min + char_to_int(ch);
170 } else if (ch == '*') {
171 #ifdef SECURITY_PROBLEM
172 min = va_arg(args, int);
174 junk = va_arg(args, int);
190 if (isdigit((unsigned char)ch)) {
193 max = 10 * max + char_to_int(ch);
195 } else if (ch == '*') {
196 #ifdef SECURITY_PROBLEM
197 max = va_arg(args, int);
199 junk = va_arg(args, int);
215 if (ch == 'l') { /* It's a long long */
221 cflags = DP_C_LDOUBLE;
224 case 'q': /* same as long long */
237 if (cflags == DP_C_INT16) {
238 value = va_arg(args, int32_t);
239 } else if (cflags == DP_C_INT32) {
240 value = va_arg(args, int32_t);
241 } else if (cflags == DP_C_INT64) {
242 value = va_arg(args, int64_t);
244 value = va_arg(args, int);
246 currlen = fmtint(buffer, currlen, maxlen, value, 10, min, max, flags);
254 } else if (ch == 'x') {
256 } else if (ch == 'X') {
262 flags |= DP_F_UNSIGNED;
263 if (cflags == DP_C_INT16) {
264 value = va_arg(args, uint32_t);
265 } else if (cflags == DP_C_INT32) {
266 value = (long)va_arg(args, uint32_t);
267 } else if (cflags == DP_C_INT64) {
268 value = (int64_t) va_arg(args, uint64_t);
270 value = (long)va_arg(args, unsigned int);
272 currlen = fmtint(buffer, currlen, maxlen, value, base, min, max, flags);
275 if (cflags == DP_C_LDOUBLE) {
276 fvalue = va_arg(args, LDOUBLE);
278 fvalue = va_arg(args, double);
280 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
285 if (cflags == DP_C_LDOUBLE) {
286 fvalue = va_arg(args, LDOUBLE);
288 fvalue = va_arg(args, double);
290 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
295 if (cflags == DP_C_LDOUBLE) {
296 fvalue = va_arg(args, LDOUBLE);
298 fvalue = va_arg(args, double);
300 currlen = fmtfp(buffer, currlen, maxlen, fvalue, min, max, flags);
303 outch(va_arg(args, int));
306 strvalue = va_arg(args, char *);
307 currlen = fmtstr(buffer, currlen, maxlen, strvalue, flags, min, max);
310 strvalue = va_arg(args, char *);
311 currlen = fmtint(buffer, currlen, maxlen, (long)strvalue, 16, min, max, flags);
314 if (cflags == DP_C_INT16) {
316 num = va_arg(args, int16_t *);
317 #ifdef SECURITY_PROBLEM
320 } else if (cflags == DP_C_INT32) {
322 num = va_arg(args, int32_t *);
323 #ifdef SECURITY_PROBLEM
324 *num = (int32_t)currlen;
326 } else if (cflags == DP_C_INT64) {
328 num = va_arg(args, int64_t *);
329 #ifdef SECURITY_PROBLEM
330 *num = (int64_t)currlen;
334 num = va_arg(args, int32_t *);
335 #ifdef SECURITY_PROBLEM
336 *num = (int32_t)currlen;
344 /* not supported yet, treat as next char */
352 state = DP_S_DEFAULT;
353 flags = cflags = min = 0;
360 break; /* some picky compilers need this */
363 if (currlen < maxlen - 1) {
364 buffer[currlen] = '\0';
366 buffer[maxlen - 1] = '\0';
371 static int32_t fmtstr(char *buffer, int32_t currlen, int32_t maxlen,
372 char *value, int flags, int min, int max)
374 int padlen, strln; /* amount to pad */
381 if (flags & DP_F_DOT && max < 0) { /* Max not specified */
383 } else if (max < 0) {
386 strln = strlen(value);
388 strln = max; /* truncate to max */
390 padlen = min - strln;
394 if (flags & DP_F_MINUS) {
395 padlen = -padlen; /* Left Justify */
402 while (*value && (cnt < max)) {
413 /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
415 static int32_t fmtint(char *buffer, int32_t currlen, int32_t maxlen,
416 int64_t value, int base, int min, int max, int flags)
422 int spadlen = 0; /* amount to space pad */
423 int zpadlen = 0; /* amount to zero pad */
432 if (!(flags & DP_F_UNSIGNED)) {
436 } else if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
438 } else if (flags & DP_F_SPACE) {
443 if (flags & DP_F_UP) {
444 caps = 1; /* Should characters be upper case? */
448 convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")
449 [uvalue % (unsigned)base];
450 uvalue = (uvalue / (unsigned)base);
451 } while (uvalue && (place < 20));
457 zpadlen = max - place;
458 spadlen = min - MAX(max, place) - (signvalue ? 1 : 0);
463 if (flags & DP_F_ZERO) {
464 zpadlen = MAX(zpadlen, spadlen);
467 if (flags & DP_F_MINUS)
468 spadlen = -spadlen; /* Left Justifty */
470 #ifdef DEBUG_SNPRINTF
471 printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
472 zpadlen, spadlen, min, max, place);
476 while (spadlen > 0) {
488 while (zpadlen > 0) {
496 outch(convert[--place]);
499 /* Left Justified spaces */
500 while (spadlen < 0) {
509 static LDOUBLE abs_val(LDOUBLE value)
511 LDOUBLE result = value;
519 static LDOUBLE pow10(int exp)
531 static long round(LDOUBLE value)
535 intpart = (long)value;
536 value = value - intpart;
543 static int32_t fmtfp(char *buffer, int32_t currlen, int32_t maxlen,
544 LDOUBLE fvalue, int min, int max, int flags)
557 extern char *fcvt(double value, int ndigit, int *decpt, int *sign);
561 int padlen = 0; /* amount to pad */
568 * AIX manpage says the default is 0, but Solaris says the default
569 * is 6, and sprintf on AIX defaults to 6
574 ufvalue = abs_val(fvalue);
578 else if (flags & DP_F_PLUS) /* Do a sign (+/i) */
580 else if (flags & DP_F_SPACE)
585 caps = 1; /* Should characters be upper case? */
589 intpart = (long)ufvalue;
592 * Sorry, we only support 9 digits past the decimal because of our
598 /* We "cheat" by converting the fractional part to integer by
599 * multiplying by a factor of 10
601 fracpart = round((pow10(max)) * (ufvalue - intpart));
603 if (fracpart >= pow10(max)) {
605 fracpart -= (int64_t)pow10(max);
607 #ifdef DEBUG_SNPRINTF
608 printf("fmtfp: %g %d.%d min=%d max=%d\n",
609 (double)fvalue, intpart, fracpart, min, max);
612 /* Convert integer part */
615 (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10];
616 intpart = (intpart / 10);
617 } while (intpart && (iplace < 20));
620 iconvert[iplace] = 0;
622 /* Convert fractional part */
625 (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10];
626 fracpart = (fracpart / 10);
627 } while (fracpart && (fplace < 20));
630 fconvert[fplace] = 0;
631 #else /* use fcvt() */
635 result = fcvtl(ufvalue, max, &dec_pt, &sig);
637 result = fcvt(ufvalue, max, &dec_pt, &sig);
640 r_length = strlen(result);
643 * Fix broken fcvt implementation returns..
652 if (r_length < dec_pt)
663 fconvert[fplace++] = result[--r_length];
665 while ((dec_pt < 0) && (fplace < max)) {
666 fconvert[fplace++] = '0';
673 for (c = dec_pt; c; iconvert[iplace++] = result[--c]);
674 iconvert[iplace] = '\0';
679 for (c = (r_length - dec_pt); c; fconvert[fplace++] = result[--c]);
681 #endif /* HAVE_FCVT */
683 /* -1 for decimal point, another -1 if we are printing a sign */
684 padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
685 zpadlen = max - fplace;
692 if (flags & DP_F_MINUS) {
693 padlen = -padlen; /* Left Justifty */
696 if ((flags & DP_F_ZERO) && (padlen > 0)) {
716 outch(iconvert[--iplace]);
720 #ifdef DEBUG_SNPRINTF
721 printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
725 * Decimal point. This should probably use locale to find the correct
731 outch(fconvert[--fplace]);
735 while (zpadlen > 0) {
746 #endif /* FP_OUTPUT */
752 #define LONG_STRING 1024
756 char buf1[LONG_STRING];
757 char buf2[LONG_STRING];
776 double fp_nums[] = { -1.5, 134.21, 91340.2, 341.1234, 0203.9, 0.96, 0.996,
777 0.9996, 1.996, 4.136, 6442452944.1234, 0
801 long int_nums[] = { -1, 134, 91340, 341, 0203, 0 };
815 int64_t ll_nums[] = { -1976, 789134567890LL, 91340, 34123, 0203, 0 };
833 char *s_nums[] = { "abc", "def", "ghi", "123", "4567", "a", "bb", "ccccccc", NULL};
840 printf("Testing snprintf format codes against system sprintf...\n");
843 for (x = 0; fp_fmt[x] != NULL; x++)
844 for (y = 0; fp_nums[y] != 0; y++) {
845 bsnprintf(buf1, sizeof(buf1), fp_fmt[x], fp_nums[y]);
846 sprintf(buf2, fp_fmt[x], fp_nums[y]);
847 if (strcmp(buf1, buf2)) {
849 ("snprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
850 fp_fmt[x], buf1, buf2);
857 for (x = 0; int_fmt[x] != NULL; x++)
858 for (y = 0; int_nums[y] != 0; y++) {
860 bcount = bsnprintf(buf1, sizeof(buf1), int_fmt[x], int_nums[y]);
861 printf("%s\n", buf1);
862 pcount = sprintf(buf2, int_fmt[x], int_nums[y]);
863 if (bcount != pcount) {
864 printf("bsnprintf count %d doesn't match sprintf count %d\n",
867 if (strcmp(buf1, buf2)) {
869 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
870 int_fmt[x], buf1, buf2);
876 for (x = 0; ll_fmt[x] != NULL; x++) {
877 for (y = 0; ll_nums[y] != 0; y++) {
879 bcount = bsnprintf(buf1, sizeof(buf1), ll_fmt[x], ll_nums[y]);
880 printf("%s\n", buf1);
881 pcount = sprintf(buf2, ll_fmt[x], ll_nums[y]);
882 if (bcount != pcount) {
883 printf("bsnprintf count %d doesn't match sprintf count %d\n",
886 if (strcmp(buf1, buf2)) {
888 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
889 ll_fmt[x], buf1, buf2);
896 for (x = 0; s_fmt[x] != NULL; x++) {
897 for (y = 0; s_nums[y] != 0; y++) {
899 bcount = bsnprintf(buf1, sizeof(buf1), s_fmt[x], s_nums[y]);
900 printf("%s\n", buf1);
901 pcount = sprintf(buf2, s_fmt[x], s_nums[y]);
902 if (bcount != pcount) {
903 printf("bsnprintf count %d doesn't match sprintf count %d\n",
906 if (strcmp(buf1, buf2)) {
908 ("bsnprintf doesn't match Format: %s\n\tsnprintf = %s\n\tsprintf = %s\n",
909 s_fmt[x], buf1, buf2);
917 printf("%d tests failed out of %d.\n", fail, num);
919 #endif /* TEST_PROGRAM */
921 #endif /* USE_BSNPRINTF */