From a66828caff16a4ad64b9d69b5db1c5a5e60418cc Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Wed, 19 Jun 2019 18:53:22 -0400 Subject: New safe type converters in QIntC --- ChangeLog | 5 + include/qpdf/QIntC.hh | 257 +++++++++++++++++++++++++++++++++++++++++ libtests/build.mk | 1 + libtests/qintc.cc | 57 +++++++++ libtests/qtest/qintc.test | 18 +++ libtests/qtest/qintc/qintc.out | 13 +++ 6 files changed, 351 insertions(+) create mode 100644 include/qpdf/QIntC.hh create mode 100644 libtests/qintc.cc create mode 100644 libtests/qtest/qintc.test create mode 100644 libtests/qtest/qintc/qintc.out diff --git a/ChangeLog b/ChangeLog index 3917e87a..d88fad35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2019-06-20 Jay Berkenbilt + + * Add QIC.hh, containing integer type converters that do range + checking. + 2019-06-18 Jay Berkenbilt * Remove previously submitted qpdf_read_memory_fuzzer as it is a diff --git a/include/qpdf/QIntC.hh b/include/qpdf/QIntC.hh new file mode 100644 index 00000000..dac85065 --- /dev/null +++ b/include/qpdf/QIntC.hh @@ -0,0 +1,257 @@ +// Copyright (c) 2005-2019 Jay Berkenbilt +// +// This file is part of qpdf. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Versions of qpdf prior to version 7 were released under the terms +// of version 2.0 of the Artistic License. At your option, you may +// continue to consider qpdf to be licensed under those terms. Please +// see the manual for additional information. + +#ifndef QINTC_HH +#define QINTC_HH + +#include +#include +#include +#include +#include +#include +#include + +// This namespace provides safe integer conversion that detects +// overflows. It uses short, cryptic names for brevity. + +namespace QIntC // QIntC = qpdf Integer Conversion +{ + // Create templates to get the unsigned version of integer types. + // With C++11, we could use std::make_unsigned, but qpdf, at least + // for now, supports pre-c++11 compilers. + template + class to_u + { + }; + + template <> + class to_u + { + public: + typedef unsigned char type; + }; + + template <> + class to_u + { + public: + typedef unsigned short type; + }; + + template <> + class to_u + { + public: + typedef unsigned int type; + }; + + template <> + class to_u + { + public: + typedef unsigned long type; + }; + + template <> + class to_u + { + public: + typedef unsigned long long type; + }; + + // Basic IntConverter class, which converts an integer from the + // From class to one of the To class if it can be done safely and + // throws a range_error otherwise. This class is specialized for + // each permutation of signed/unsigned for the From and To + // classes. + template ::is_signed, + bool To_signed = std::numeric_limits::is_signed> + class IntConverter + { + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From and To are both unsigned. + if (i > std::numeric_limits::max()) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte unsigned type to a " + << sizeof(To) << "-byte unsigned type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From and To are both signed. + if ((i < std::numeric_limits::min()) || + (i > std::numeric_limits::max())) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte signed type to a " + << sizeof(To) << "-byte signed type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From is signed, and To is unsigned. If i > 0, it's safe to + // convert it to the corresponding unsigned type and to + // compare with To's max. + typename to_u::type ii = + static_cast::type>(i); + if ((i < 0) || (ii > std::numeric_limits::max())) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte signed type to a " + << sizeof(To) << "-byte unsigned type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From is unsigned, and to is signed. Convert To's max to the + // unsigned version of To and compare i against that. + typename to_u::type maxval = + static_cast::type>( + std::numeric_limits::max()); + if (i > maxval) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte unsigned type to a " + << sizeof(To) << "-byte signed type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + // Specific converers. The return type of each function must match + // the second template prameter to IntConverter. + template + char to_char(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned char to_uchar(T const& i) + { + return IntConverter::convert(i); + } + + template + short to_short(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned short to_ushort(T const& i) + { + return IntConverter::convert(i); + } + + template + int to_int(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned int to_uint(T const& i) + { + return IntConverter::convert(i); + } + + template + size_t to_size(T const& i) + { + return IntConverter::convert(i); + } + + template + qpdf_offset_t to_offset(T const& i) + { + return IntConverter::convert(i); + } + + template + long to_long(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned long to_ulong(T const& i) + { + return IntConverter::convert(i); + } + + template + long long to_longlong(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned long long to_ulonglong(T const& i) + { + return IntConverter::convert(i); + } +}; + +#endif // QINTC_HH diff --git a/libtests/build.mk b/libtests/build.mk index 5c1ee56a..4313b630 100644 --- a/libtests/build.mk +++ b/libtests/build.mk @@ -17,6 +17,7 @@ BINS_libtests = \ numrange \ pointer_holder \ predictors \ + qintc \ qutil \ random \ rc4 \ diff --git a/libtests/qintc.cc b/libtests/qintc.cc new file mode 100644 index 00000000..79fc6f53 --- /dev/null +++ b/libtests/qintc.cc @@ -0,0 +1,57 @@ +#include +#include +#include + +#define try_convert(exp_pass, fn, i) \ + try_convert_real(#fn "(" #i ")", exp_pass, fn, i) + +template +static void try_convert_real( + char const* description, bool exp_pass, + To (*fn)(From const&), From const& i) +{ + bool passed = false; + try + { + To result = fn(i); + passed = true; + std::cout << description << ": " << i << " " << result; + } + catch (std::range_error& e) + { + std::cout << description << ": " << e.what(); + passed = false; + } + std::cout << ((passed == exp_pass) ? " PASSED" : " FAILED") << std::endl; +} + +int main() +{ + uint32_t u1 = 3141592653U; // Too big for signed type + int32_t i1 = -1153374643; // Same bit pattern as u1 + uint64_t ul1 = 1099511627776LL; // Too big for 32-bit + uint64_t ul2 = 12345; // Fits into 32-bit + int32_t i2 = 81; // Fits in char and uchar + char c1 = '\xf7'; // Signed vaule when char + + // Verify i1 and u1 have same bit pattern + assert(static_cast(i1) == u1); + // Verify that we can unsafely convert between char and unsigned char + assert(c1 == static_cast(static_cast(c1))); + + try_convert(true, QIntC::to_int, i1); + try_convert(true, QIntC::to_uint, u1); + try_convert(false, QIntC::to_int, u1); + try_convert(false, QIntC::to_uint, i1); + try_convert(false, QIntC::to_int, ul1); + try_convert(true, QIntC::to_int, ul2); + try_convert(true, QIntC::to_uint, ul2); + try_convert(true, QIntC::to_offset, u1); + try_convert(true, QIntC::to_offset, i1); + try_convert(false, QIntC::to_size, i1); + try_convert(true, QIntC::to_char, i2); + try_convert(true, QIntC::to_uchar, i2); + try_convert(false, QIntC::to_uchar, c1); + + return 0; +} diff --git a/libtests/qtest/qintc.test b/libtests/qtest/qintc.test new file mode 100644 index 00000000..4b2dc3a5 --- /dev/null +++ b/libtests/qtest/qintc.test @@ -0,0 +1,18 @@ +#!/usr/bin/env perl +require 5.008; +BEGIN { $^W = 1; } +use strict; + +chdir("qintc") or die "chdir testdir failed: $!\n"; + +require TestDriver; + +my $td = new TestDriver('qintc'); + +$td->runtest("QINTC", + {$td->COMMAND => "qintc"}, + {$td->FILE => "qintc.out", + $td->EXIT_STATUS => 0}, + $td->NORMALIZE_NEWLINES | $td->RM_WS_ONLY_LINES); + +$td->report(1); diff --git a/libtests/qtest/qintc/qintc.out b/libtests/qtest/qintc/qintc.out new file mode 100644 index 00000000..9b6d35d9 --- /dev/null +++ b/libtests/qtest/qintc/qintc.out @@ -0,0 +1,13 @@ +QIntC::to_int(i1): -1153374643 -1153374643 PASSED +QIntC::to_uint(u1): 3141592653 3141592653 PASSED +QIntC::to_int(u1): integer out of range converting 3141592653 from a 4-byte unsigned type to a 4-byte signed type PASSED +QIntC::to_uint(i1): integer out of range converting -1153374643 from a 4-byte signed type to a 4-byte unsigned type PASSED +QIntC::to_int(ul1): integer out of range converting 1099511627776 from a 8-byte unsigned type to a 4-byte signed type PASSED +QIntC::to_int(ul2): 12345 12345 PASSED +QIntC::to_uint(ul2): 12345 12345 PASSED +QIntC::to_offset(u1): 3141592653 3141592653 PASSED +QIntC::to_offset(i1): -1153374643 -1153374643 PASSED +QIntC::to_size(i1): integer out of range converting -1153374643 from a 4-byte signed type to a 8-byte unsigned type PASSED +QIntC::to_char(i2): 81 Q PASSED +QIntC::to_uchar(i2): 81 Q PASSED +QIntC::to_uchar(c1): integer out of range converting ÷ from a 1-byte signed type to a 1-byte unsigned type PASSED -- cgit v1.2.3-70-g09d2