#include "Python.h" | |
#include <ctype.h> | |
/* snprintf() wrappers. If the platform has vsnprintf, we use it, else we | |
emulate it in a half-hearted way. Even if the platform has it, we wrap | |
it because platforms differ in what vsnprintf does in case the buffer | |
is too small: C99 behavior is to return the number of characters that | |
would have been written had the buffer not been too small, and to set | |
the last byte of the buffer to \0. At least MS _vsnprintf returns a | |
negative value instead, and fills the entire buffer with non-\0 data. | |
The wrappers ensure that str[size-1] is always \0 upon return. | |
PyOS_snprintf and PyOS_vsnprintf never write more than size bytes | |
(including the trailing '\0') into str. | |
If the platform doesn't have vsnprintf, and the buffer size needed to | |
avoid truncation exceeds size by more than 512, Python aborts with a | |
Py_FatalError. | |
Return value (rv): | |
When 0 <= rv < size, the output conversion was unexceptional, and | |
rv characters were written to str (excluding a trailing \0 byte at | |
str[rv]). | |
When rv >= size, output conversion was truncated, and a buffer of | |
size rv+1 would have been needed to avoid truncation. str[size-1] | |
is \0 in this case. | |
When rv < 0, "something bad happened". str[size-1] is \0 in this | |
case too, but the rest of str is unreliable. It could be that | |
an error in format codes was detected by libc, or on platforms | |
with a non-C99 vsnprintf simply that the buffer wasn't big enough | |
to avoid truncation, or on platforms without any vsnprintf that | |
PyMem_Malloc couldn't obtain space for a temp buffer. | |
CAUTION: Unlike C99, str != NULL and size > 0 are required. | |
*/ | |
int | |
PyOS_snprintf(char *str, size_t size, const char *format, ...) | |
{ | |
int rc; | |
va_list va; | |
va_start(va, format); | |
rc = PyOS_vsnprintf(str, size, format, va); | |
va_end(va); | |
return rc; | |
} | |
int | |
PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) | |
{ | |
int len; /* # bytes written, excluding \0 */ | |
#ifdef HAVE_SNPRINTF | |
#define _PyOS_vsnprintf_EXTRA_SPACE 1 | |
#else | |
#define _PyOS_vsnprintf_EXTRA_SPACE 512 | |
char *buffer; | |
#endif | |
assert(str != NULL); | |
assert(size > 0); | |
assert(format != NULL); | |
/* We take a size_t as input but return an int. Sanity check | |
* our input so that it won't cause an overflow in the | |
* vsnprintf return value or the buffer malloc size. */ | |
if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { | |
len = -666; | |
goto Done; | |
} | |
#ifdef HAVE_SNPRINTF | |
len = vsnprintf(str, size, format, va); | |
#else | |
/* Emulate it. */ | |
buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); | |
if (buffer == NULL) { | |
len = -666; | |
goto Done; | |
} | |
len = vsprintf(buffer, format, va); | |
if (len < 0) | |
/* ignore the error */; | |
else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) | |
Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); | |
else { | |
const size_t to_copy = (size_t)len < size ? | |
(size_t)len : size - 1; | |
assert(to_copy < size); | |
memcpy(str, buffer, to_copy); | |
str[to_copy] = '\0'; | |
} | |
PyMem_FREE(buffer); | |
#endif | |
Done: | |
if (size > 0) | |
str[size-1] = '\0'; | |
return len; | |
#undef _PyOS_vsnprintf_EXTRA_SPACE | |
} |