1 |
/* xsize.h -- Checked size_t computations.
|
2 |
|
3 |
Copyright (C) 2003 Free Software Foundation, Inc.
|
4 |
|
5 |
This program is free software; you can redistribute it and/or modify it
|
6 |
under the terms of the GNU Library General Public License as published
|
7 |
by the Free Software Foundation; either version 2, or (at your option)
|
8 |
any later version.
|
9 |
|
10 |
This program is distributed in the hope that it will be useful,
|
11 |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
12 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
13 |
Library General Public License for more details.
|
14 |
|
15 |
You should have received a copy of the GNU Library General Public
|
16 |
License along with this program; if not, write to the Free Software
|
17 |
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
18 |
USA. */
|
19 |
|
20 |
#ifndef _XSIZE_H
|
21 |
#define _XSIZE_H
|
22 |
|
23 |
/* Get size_t. */
|
24 |
#include <stddef.h>
|
25 |
|
26 |
/* Get SIZE_MAX. */
|
27 |
#include <limits.h>
|
28 |
#if HAVE_STDINT_H
|
29 |
# include <stdint.h>
|
30 |
#endif
|
31 |
|
32 |
/* The size of memory objects is often computed through expressions of
|
33 |
type size_t. Example:
|
34 |
void* p = malloc (header_size + n * element_size).
|
35 |
These computations can lead to overflow. When this happens, malloc()
|
36 |
returns a piece of memory that is way too small, and the program then
|
37 |
crashes while attempting to fill the memory.
|
38 |
To avoid this, the functions and macros in this file check for overflow.
|
39 |
The convention is that SIZE_MAX represents overflow.
|
40 |
malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
|
41 |
implementation that uses mmap --, it's recommended to use size_overflow_p()
|
42 |
or size_in_bounds_p() before invoking malloc().
|
43 |
The example thus becomes:
|
44 |
size_t size = xsum (header_size, xtimes (n, element_size));
|
45 |
void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
|
46 |
*/
|
47 |
|
48 |
/* Convert an arbitrary value >= 0 to type size_t. */
|
49 |
#define xcast_size_t(N) \
|
50 |
((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
|
51 |
|
52 |
/* Sum of two sizes, with overflow check. */
|
53 |
static inline size_t
|
54 |
#if __GNUC__ >= 3
|
55 |
__attribute__ ((__pure__))
|
56 |
#endif
|
57 |
xsum (size_t size1, size_t size2)
|
58 |
{
|
59 |
size_t sum = size1 + size2;
|
60 |
return (sum >= size1 ? sum : SIZE_MAX);
|
61 |
}
|
62 |
|
63 |
/* Sum of three sizes, with overflow check. */
|
64 |
static inline size_t
|
65 |
#if __GNUC__ >= 3
|
66 |
__attribute__ ((__pure__))
|
67 |
#endif
|
68 |
xsum3 (size_t size1, size_t size2, size_t size3)
|
69 |
{
|
70 |
return xsum (xsum (size1, size2), size3);
|
71 |
}
|
72 |
|
73 |
/* Sum of four sizes, with overflow check. */
|
74 |
static inline size_t
|
75 |
#if __GNUC__ >= 3
|
76 |
__attribute__ ((__pure__))
|
77 |
#endif
|
78 |
xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
|
79 |
{
|
80 |
return xsum (xsum (xsum (size1, size2), size3), size4);
|
81 |
}
|
82 |
|
83 |
/* Maximum of two sizes, with overflow check. */
|
84 |
static inline size_t
|
85 |
#if __GNUC__ >= 3
|
86 |
__attribute__ ((__pure__))
|
87 |
#endif
|
88 |
xmax (size_t size1, size_t size2)
|
89 |
{
|
90 |
/* No explicit check is needed here, because for any n:
|
91 |
max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX. */
|
92 |
return (size1 >= size2 ? size1 : size2);
|
93 |
}
|
94 |
|
95 |
/* Multiplication of a count with an element size, with overflow check.
|
96 |
The count must be >= 0 and the element size must be > 0.
|
97 |
This is a macro, not an inline function, so that it works correctly even
|
98 |
when N is of a wider tupe and N > SIZE_MAX. */
|
99 |
#define xtimes(N, ELSIZE) \
|
100 |
((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
|
101 |
|
102 |
/* Check for overflow. */
|
103 |
#define size_overflow_p(SIZE) \
|
104 |
((SIZE) == SIZE_MAX)
|
105 |
/* Check against overflow. */
|
106 |
#define size_in_bounds_p(SIZE) \
|
107 |
((SIZE) != SIZE_MAX)
|
108 |
|
109 |
#endif /* _XSIZE_H */
|