From a66828caff16a4ad64b9d69b5db1c5a5e60418cc Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Wed, 19 Jun 2019 18:53:22 -0400 Subject: New safe type converters in QIntC --- include/qpdf/QIntC.hh | 257 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 257 insertions(+) create mode 100644 include/qpdf/QIntC.hh (limited to 'include') diff --git a/include/qpdf/QIntC.hh b/include/qpdf/QIntC.hh new file mode 100644 index 00000000..dac85065 --- /dev/null +++ b/include/qpdf/QIntC.hh @@ -0,0 +1,257 @@ +// Copyright (c) 2005-2019 Jay Berkenbilt +// +// This file is part of qpdf. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// Versions of qpdf prior to version 7 were released under the terms +// of version 2.0 of the Artistic License. At your option, you may +// continue to consider qpdf to be licensed under those terms. Please +// see the manual for additional information. + +#ifndef QINTC_HH +#define QINTC_HH + +#include +#include +#include +#include +#include +#include +#include + +// This namespace provides safe integer conversion that detects +// overflows. It uses short, cryptic names for brevity. + +namespace QIntC // QIntC = qpdf Integer Conversion +{ + // Create templates to get the unsigned version of integer types. + // With C++11, we could use std::make_unsigned, but qpdf, at least + // for now, supports pre-c++11 compilers. + template + class to_u + { + }; + + template <> + class to_u + { + public: + typedef unsigned char type; + }; + + template <> + class to_u + { + public: + typedef unsigned short type; + }; + + template <> + class to_u + { + public: + typedef unsigned int type; + }; + + template <> + class to_u + { + public: + typedef unsigned long type; + }; + + template <> + class to_u + { + public: + typedef unsigned long long type; + }; + + // Basic IntConverter class, which converts an integer from the + // From class to one of the To class if it can be done safely and + // throws a range_error otherwise. This class is specialized for + // each permutation of signed/unsigned for the From and To + // classes. + template ::is_signed, + bool To_signed = std::numeric_limits::is_signed> + class IntConverter + { + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From and To are both unsigned. + if (i > std::numeric_limits::max()) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte unsigned type to a " + << sizeof(To) << "-byte unsigned type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From and To are both signed. + if ((i < std::numeric_limits::min()) || + (i > std::numeric_limits::max())) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte signed type to a " + << sizeof(To) << "-byte signed type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From is signed, and To is unsigned. If i > 0, it's safe to + // convert it to the corresponding unsigned type and to + // compare with To's max. + typename to_u::type ii = + static_cast::type>(i); + if ((i < 0) || (ii > std::numeric_limits::max())) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte signed type to a " + << sizeof(To) << "-byte unsigned type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + template + class IntConverter + { + public: + static To convert(From const& i) + { + // From is unsigned, and to is signed. Convert To's max to the + // unsigned version of To and compare i against that. + typename to_u::type maxval = + static_cast::type>( + std::numeric_limits::max()); + if (i > maxval) + { + std::ostringstream msg; + msg << "integer out of range converting " << i + << " from a " + << sizeof(From) << "-byte unsigned type to a " + << sizeof(To) << "-byte signed type"; + throw std::range_error(msg.str()); + } + return static_cast(i); + } + }; + + // Specific converers. The return type of each function must match + // the second template prameter to IntConverter. + template + char to_char(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned char to_uchar(T const& i) + { + return IntConverter::convert(i); + } + + template + short to_short(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned short to_ushort(T const& i) + { + return IntConverter::convert(i); + } + + template + int to_int(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned int to_uint(T const& i) + { + return IntConverter::convert(i); + } + + template + size_t to_size(T const& i) + { + return IntConverter::convert(i); + } + + template + qpdf_offset_t to_offset(T const& i) + { + return IntConverter::convert(i); + } + + template + long to_long(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned long to_ulong(T const& i) + { + return IntConverter::convert(i); + } + + template + long long to_longlong(T const& i) + { + return IntConverter::convert(i); + } + + template + unsigned long long to_ulonglong(T const& i) + { + return IntConverter::convert(i); + } +}; + +#endif // QINTC_HH -- cgit v1.2.3-54-g00ecf