| #include "Python.h" | |
| #include <ctype.h> | |
| /* snprintf() wrappers. If the platform has vsnprintf, we use it, else we | |
| emulate it in a half-hearted way. Even if the platform has it, we wrap | |
| it because platforms differ in what vsnprintf does in case the buffer | |
| is too small: C99 behavior is to return the number of characters that | |
| would have been written had the buffer not been too small, and to set | |
| the last byte of the buffer to \0. At least MS _vsnprintf returns a | |
| negative value instead, and fills the entire buffer with non-\0 data. | |
| The wrappers ensure that str[size-1] is always \0 upon return. | |
| PyOS_snprintf and PyOS_vsnprintf never write more than size bytes | |
| (including the trailing '\0') into str. | |
| If the platform doesn't have vsnprintf, and the buffer size needed to | |
| avoid truncation exceeds size by more than 512, Python aborts with a | |
| Py_FatalError. | |
| Return value (rv): | |
| When 0 <= rv < size, the output conversion was unexceptional, and | |
| rv characters were written to str (excluding a trailing \0 byte at | |
| str[rv]). | |
| When rv >= size, output conversion was truncated, and a buffer of | |
| size rv+1 would have been needed to avoid truncation. str[size-1] | |
| is \0 in this case. | |
| When rv < 0, "something bad happened". str[size-1] is \0 in this | |
| case too, but the rest of str is unreliable. It could be that | |
| an error in format codes was detected by libc, or on platforms | |
| with a non-C99 vsnprintf simply that the buffer wasn't big enough | |
| to avoid truncation, or on platforms without any vsnprintf that | |
| PyMem_Malloc couldn't obtain space for a temp buffer. | |
| CAUTION: Unlike C99, str != NULL and size > 0 are required. | |
| */ | |
| int | |
| PyOS_snprintf(char *str, size_t size, const char *format, ...) | |
| { | |
| int rc; | |
| va_list va; | |
| va_start(va, format); | |
| rc = PyOS_vsnprintf(str, size, format, va); | |
| va_end(va); | |
| return rc; | |
| } | |
| int | |
| PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) | |
| { | |
| int len; /* # bytes written, excluding \0 */ | |
| #ifdef HAVE_SNPRINTF | |
| #define _PyOS_vsnprintf_EXTRA_SPACE 1 | |
| #else | |
| #define _PyOS_vsnprintf_EXTRA_SPACE 512 | |
| char *buffer; | |
| #endif | |
| assert(str != NULL); | |
| assert(size > 0); | |
| assert(format != NULL); | |
| /* We take a size_t as input but return an int. Sanity check | |
| * our input so that it won't cause an overflow in the | |
| * vsnprintf return value or the buffer malloc size. */ | |
| if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { | |
| len = -666; | |
| goto Done; | |
| } | |
| #ifdef HAVE_SNPRINTF | |
| len = vsnprintf(str, size, format, va); | |
| #else | |
| /* Emulate it. */ | |
| buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); | |
| if (buffer == NULL) { | |
| len = -666; | |
| goto Done; | |
| } | |
| len = vsprintf(buffer, format, va); | |
| if (len < 0) | |
| /* ignore the error */; | |
| else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) | |
| Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); | |
| else { | |
| const size_t to_copy = (size_t)len < size ? | |
| (size_t)len : size - 1; | |
| assert(to_copy < size); | |
| memcpy(str, buffer, to_copy); | |
| str[to_copy] = '\0'; | |
| } | |
| PyMem_FREE(buffer); | |
| #endif | |
| Done: | |
| if (size > 0) | |
| str[size-1] = '\0'; | |
| return len; | |
| #undef _PyOS_vsnprintf_EXTRA_SPACE | |
| } |