HCoop / bpt / emacs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
* doprnt.c (doprnt): Don't assume string length fits in 'int'.
[bpt/emacs.git] / src / doprnt.c
1 /* Output like sprintf to a buffer of specified size.
2 Also takes args differently: pass one pointer to the end
3 of the format string in addition to the format string itself.
4 Copyright (C) 1985, 2001-2012 Free Software Foundation, Inc.
5
6 This file is part of GNU Emacs.
7
8 GNU Emacs is free software: you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation, either version 3 of the License, or
11 (at your option) any later version.
12
13 GNU Emacs is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
20
21 /* If you think about replacing this with some similar standard C function of
22 the printf family (such as vsnprintf), please note that this function
23 supports the following Emacs-specific features:
24
25 . For %c conversions, it produces a string with the multibyte representation
26 of the (`int') argument, suitable for display in an Emacs buffer.
27
28 . For %s and %c, when field width is specified (e.g., %25s), it accounts for
29 the display width of each character, according to char-width-table. That
30 is, it does not assume that each character takes one column on display.
31
32 . If the size of the buffer is not enough to produce the formatted string in
33 its entirety, it makes sure that truncation does not chop the last
34 character in the middle of its multibyte sequence, producing an invalid
35 sequence.
36
37 . It accepts a pointer to the end of the format string, so the format string
38 could include embedded null characters.
39
40 . It signals an error if the length of the formatted string is about to
41 overflow MOST_POSITIVE_FIXNUM, to avoid producing strings longer than what
42 Emacs can handle.
43
44 OTOH, this function supports only a small subset of the standard C formatted
45 output facilities. E.g., %u and %ll are not supported, and precision is
46 ignored %s and %c conversions. (See below for the detailed documentation of
47 what is supported.) However, this is okay, as this function is supposed to
48 be called from `error' and similar functions, and thus does not need to
49 support features beyond those in `Fformat', which is used by `error' on the
50 Lisp level. */
51
52 /* This function supports the following %-sequences in the `format'
53 argument:
54
55 %s means print a string argument.
56 %S is silently treated as %s, for loose compatibility with `Fformat'.
57 %d means print a `signed int' argument in decimal.
58 %o means print an `unsigned int' argument in octal.
59 %x means print an `unsigned int' argument in hex.
60 %e means print a `double' argument in exponential notation.
61 %f means print a `double' argument in decimal-point notation.
62 %g means print a `double' argument in exponential notation
63 or in decimal-point notation, whichever uses fewer characters.
64 %c means print a `signed int' argument as a single character.
65 %% means produce a literal % character.
66
67 A %-sequence may contain optional flag, width, and precision specifiers, and
68 a length modifier, as follows:
69
70 %<flags><width><precision><length>character
71
72 where flags is [+ -0], width is [0-9]+, precision is .[0-9]+, and length
73 is empty or l or the value of the pD or pI or pMd (sans "d") macros.
74 Also, %% in a format stands for a single % in the output. A % that
75 does not introduce a valid %-sequence causes undefined behavior.
76
77 The + flag character inserts a + before any positive number, while a space
78 inserts a space before any positive number; these flags only affect %d, %o,
79 %x, %e, %f, and %g sequences. The - and 0 flags affect the width specifier,
80 as described below. For signed numerical arguments only, the ` ' (space)
81 flag causes the result to be prefixed with a space character if it does not
82 start with a sign (+ or -).
83
84 The l (lower-case letter ell) length modifier is a `long' data type
85 modifier: it is supported for %d, %o, and %x conversions of integral
86 arguments, must immediately precede the conversion specifier, and means that
87 the respective argument is to be treated as `long int' or `unsigned long
88 int'. Similarly, the value of the pD macro means to use ptrdiff_t,
89 the value of the pI macro means to use EMACS_INT or EMACS_UINT, the
90 value of the pMd etc. macros means to use intmax_t or uintmax_t,
91 and the empty length modifier means `int' or `unsigned int'.
92
93 The width specifier supplies a lower limit for the length of the printed
94 representation. The padding, if any, normally goes on the left, but it goes
95 on the right if the - flag is present. The padding character is normally a
96 space, but (for numerical arguments only) it is 0 if the 0 flag is present.
97 The - flag takes precedence over the 0 flag.
98
99 For %e, %f, and %g sequences, the number after the "." in the precision
100 specifier says how many decimal places to show; if zero, the decimal point
101 itself is omitted. For %s and %S, the precision specifier is ignored. */
102
103 #include <config.h>
104 #include <stdio.h>
105 #include <ctype.h>
106 #include <setjmp.h>
107 #include <float.h>
108 #include <unistd.h>
109 #include <limits.h>
110
111 #include "lisp.h"
112
113 /* Since we use the macro CHAR_HEAD_P, we have to include this, but
114 don't have to include others because CHAR_HEAD_P does not contains
115 another macro. */
116 #include "character.h"
117
118 #ifndef DBL_MAX_10_EXP
119 #define DBL_MAX_10_EXP 308 /* IEEE double */
120 #endif
121
122 /* Generate output from a format-spec FORMAT,
123 terminated at position FORMAT_END.
124 (*FORMAT_END is not part of the format, but must exist and be readable.)
125 Output goes in BUFFER, which has room for BUFSIZE chars.
126 BUFSIZE must be positive. If the output does not fit, truncate it
127 to fit and return BUFSIZE - 1; if this truncates a multibyte
128 sequence, store '\0' into the sequence's first byte.
129 Returns the number of bytes stored into BUFFER, excluding
130 the terminating null byte. Output is always null-terminated.
131 String arguments are passed as C strings.
132 Integers are passed as C integers. */
133
134 ptrdiff_t
135 doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
136 const char *format_end, va_list ap)
137 {
138 const char *fmt = format; /* Pointer into format string. */
139 char *bufptr = buffer; /* Pointer into output buffer. */
140
141 /* Use this for sprintf unless we need something really big. */
142 char tembuf[DBL_MAX_10_EXP + 100];
143
144 /* Size of sprintf_buffer. */
145 ptrdiff_t size_allocated = sizeof (tembuf);
146
147 /* Buffer to use for sprintf. Either tembuf or same as BIG_BUFFER. */
148 char *sprintf_buffer = tembuf;
149
150 /* Buffer we have got with malloc. */
151 char *big_buffer = NULL;
152
153 ptrdiff_t tem = -1;
154 char *string;
155 char fixed_buffer[20]; /* Default buffer for small formatting. */
156 char *fmtcpy;
157 int minlen;
158 char charbuf[MAX_MULTIBYTE_LENGTH + 1]; /* Used for %c. */
159 USE_SAFE_ALLOCA;
160
161 if (format_end == 0)
162 format_end = format + strlen (format);
163
164 if (format_end - format < sizeof (fixed_buffer) - 1)
165 fmtcpy = fixed_buffer;
166 else
167 SAFE_ALLOCA (fmtcpy, char *, format_end - format + 1);
168
169 bufsize--;
170
171 /* Loop until end of format string or buffer full. */
172 while (fmt < format_end && bufsize > 0)
173 {
174 if (*fmt == '%') /* Check for a '%' character */
175 {
176 ptrdiff_t size_bound = 0;
177 ptrdiff_t width; /* Columns occupied by STRING on display. */
178 enum {
179 pDlen = sizeof pD - 1,
180 pIlen = sizeof pI - 1,
181 pMlen = sizeof pMd - 2
182 };
183 enum {
184 no_modifier, long_modifier, pD_modifier, pI_modifier, pM_modifier
185 } length_modifier = no_modifier;
186 static char const modifier_len[] = { 0, 1, pDlen, pIlen, pMlen };
187 int maxmlen = max (max (1, pDlen), max (pIlen, pMlen));
188 int mlen;
189
190 fmt++;
191 /* Copy this one %-spec into fmtcpy. */
192 string = fmtcpy;
193 *string++ = '%';
194 while (fmt < format_end)
195 {
196 *string++ = *fmt;
197 if ('0' <= *fmt && *fmt <= '9')
198 {
199 /* Get an idea of how much space we might need.
200 This might be a field width or a precision; e.g.
201 %1.1000f and %1000.1f both might need 1000+ bytes.
202 Parse the width or precision, checking for overflow. */
203 ptrdiff_t n = *fmt - '0';
204 while (fmt + 1 < format_end
205 && '0' <= fmt[1] && fmt[1] <= '9')
206 {
207 /* Avoid ptrdiff_t, size_t, and int overflow, as
208 many sprintfs mishandle widths greater than INT_MAX.
209 This test is simple but slightly conservative: e.g.,
210 (INT_MAX - INT_MAX % 10) is reported as an overflow
211 even when it's not. */
212 if (n >= min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX)) / 10)
213 error ("Format width or precision too large");
214 n = n * 10 + fmt[1] - '0';
215 *string++ = *++fmt;
216 }
217
218 if (size_bound < n)
219 size_bound = n;
220 }
221 else if (! (*fmt == '-' || *fmt == ' ' || *fmt == '.'
222 || *fmt == '+'))
223 break;
224 fmt++;
225 }
226
227 /* Check for the length modifiers in textual length order, so
228 that longer modifiers override shorter ones. */
229 for (mlen = 1; mlen <= maxmlen; mlen++)
230 {
231 if (format_end - fmt < mlen)
232 break;
233 if (mlen == 1 && *fmt == 'l')
234 length_modifier = long_modifier;
235 if (mlen == pDlen && memcmp (fmt, pD, pDlen) == 0)
236 length_modifier = pD_modifier;
237 if (mlen == pIlen && memcmp (fmt, pI, pIlen) == 0)
238 length_modifier = pI_modifier;
239 if (mlen == pMlen && memcmp (fmt, pMd, pMlen) == 0)
240 length_modifier = pM_modifier;
241 }
242
243 mlen = modifier_len[length_modifier];
244 memcpy (string, fmt + 1, mlen);
245 string += mlen;
246 fmt += mlen;
247 *string = 0;
248
249 /* Make the size bound large enough to handle floating point formats
250 with large numbers. */
251 if (size_bound > min (PTRDIFF_MAX, SIZE_MAX) - DBL_MAX_10_EXP - 50)
252 error ("Format width or precision too large");
253 size_bound += DBL_MAX_10_EXP + 50;
254
255 /* Make sure we have that much. */
256 if (size_bound > size_allocated)
257 {
258 if (big_buffer)
259 xfree (big_buffer);
260 big_buffer = (char *) xmalloc (size_bound);
261 sprintf_buffer = big_buffer;
262 size_allocated = size_bound;
263 }
264 minlen = 0;
265 switch (*fmt++)
266 {
267 default:
268 error ("Invalid format operation %s", fmtcpy);
269
270 /* case 'b': */
271 case 'l':
272 case 'd':
273 switch (length_modifier)
274 {
275 case no_modifier:
276 {
277 int v = va_arg (ap, int);
278 tem = sprintf (sprintf_buffer, fmtcpy, v);
279 }
280 break;
281 case long_modifier:
282 {
283 long v = va_arg (ap, long);
284 tem = sprintf (sprintf_buffer, fmtcpy, v);
285 }
286 break;
287 case pD_modifier:
288 signed_pD_modifier:
289 {
290 ptrdiff_t v = va_arg (ap, ptrdiff_t);
291 tem = sprintf (sprintf_buffer, fmtcpy, v);
292 }
293 break;
294 case pI_modifier:
295 {
296 EMACS_INT v = va_arg (ap, EMACS_INT);
297 tem = sprintf (sprintf_buffer, fmtcpy, v);
298 }
299 break;
300 case pM_modifier:
301 {
302 intmax_t v = va_arg (ap, intmax_t);
303 tem = sprintf (sprintf_buffer, fmtcpy, v);
304 }
305 break;
306 }
307 /* Now copy into final output, truncating as necessary. */
308 string = sprintf_buffer;
309 goto doit;
310
311 case 'o':
312 case 'x':
313 switch (length_modifier)
314 {
315 case no_modifier:
316 {
317 unsigned v = va_arg (ap, unsigned);
318 tem = sprintf (sprintf_buffer, fmtcpy, v);
319 }
320 break;
321 case long_modifier:
322 {
323 unsigned long v = va_arg (ap, unsigned long);
324 tem = sprintf (sprintf_buffer, fmtcpy, v);
325 }
326 break;
327 case pD_modifier:
328 goto signed_pD_modifier;
329 case pI_modifier:
330 {
331 EMACS_UINT v = va_arg (ap, EMACS_UINT);
332 tem = sprintf (sprintf_buffer, fmtcpy, v);
333 }
334 break;
335 case pM_modifier:
336 {
337 uintmax_t v = va_arg (ap, uintmax_t);
338 tem = sprintf (sprintf_buffer, fmtcpy, v);
339 }
340 break;
341 }
342 /* Now copy into final output, truncating as necessary. */
343 string = sprintf_buffer;
344 goto doit;
345
346 case 'f':
347 case 'e':
348 case 'g':
349 {
350 double d = va_arg (ap, double);
351 tem = sprintf (sprintf_buffer, fmtcpy, d);
352 /* Now copy into final output, truncating as necessary. */
353 string = sprintf_buffer;
354 goto doit;
355 }
356
357 case 'S':
358 string[-1] = 's';
359 case 's':
360 if (fmtcpy[1] != 's')
361 minlen = atoi (&fmtcpy[1]);
362 string = va_arg (ap, char *);
363 tem = strlen (string);
364 if (STRING_BYTES_BOUND < tem)
365 error ("String for %%s or %%S format is too long");
366 width = strwidth (string, tem);
367 goto doit1;
368
369 /* Copy string into final output, truncating if no room. */
370 doit:
371 eassert (0 <= tem);
372 /* Coming here means STRING contains ASCII only. */
373 if (STRING_BYTES_BOUND < tem)
374 error ("Format width or precision too large");
375 width = tem;
376 doit1:
377 /* We have already calculated:
378 TEM -- length of STRING,
379 WIDTH -- columns occupied by STRING when displayed, and
380 MINLEN -- minimum columns of the output. */
381 if (minlen > 0)
382 {
383 while (minlen > width && bufsize > 0)
384 {
385 *bufptr++ = ' ';
386 bufsize--;
387 minlen--;
388 }
389 minlen = 0;
390 }
391 if (tem > bufsize)
392 {
393 /* Truncate the string at character boundary. */
394 tem = bufsize;
395 do
396 {
397 tem--;
398 if (CHAR_HEAD_P (string[tem]))
399 {
400 if (BYTES_BY_CHAR_HEAD (string[tem]) <= bufsize - tem)
401 tem = bufsize;
402 break;
403 }
404 }
405 while (tem != 0);
406
407 memcpy (bufptr, string, tem);
408 bufptr[tem] = 0;
409 /* Trigger exit from the loop, but make sure we
410 return to the caller a value which will indicate
411 that the buffer was too small. */
412 bufptr += bufsize;
413 bufsize = 0;
414 continue;
415 }
416 memcpy (bufptr, string, tem);
417 bufptr += tem;
418 bufsize -= tem;
419 if (minlen < 0)
420 {
421 while (minlen < - width && bufsize > 0)
422 {
423 *bufptr++ = ' ';
424 bufsize--;
425 minlen++;
426 }
427 minlen = 0;
428 }
429 continue;
430
431 case 'c':
432 {
433 int chr = va_arg (ap, int);
434 tem = CHAR_STRING (chr, (unsigned char *) charbuf);
435 string = charbuf;
436 string[tem] = 0;
437 width = strwidth (string, tem);
438 if (fmtcpy[1] != 'c')
439 minlen = atoi (&fmtcpy[1]);
440 goto doit1;
441 }
442
443 case '%':
444 fmt--; /* Drop thru and this % will be treated as normal */
445 }
446 }
447
448 {
449 /* Just some character; Copy it if the whole multi-byte form
450 fit in the buffer. */
451 char *save_bufptr = bufptr;
452
453 do { *bufptr++ = *fmt++; }
454 while (fmt < format_end && --bufsize > 0 && !CHAR_HEAD_P (*fmt));
455 if (!CHAR_HEAD_P (*fmt))
456 {
457 /* Truncate, but return value that will signal to caller
458 that the buffer was too small. */
459 *save_bufptr = 0;
460 break;
461 }
462 }
463 };
464
465 /* If we had to malloc something, free it. */
466 xfree (big_buffer);
467
468 *bufptr = 0; /* Make sure our string ends with a '\0' */
469
470 SAFE_FREE ();
471 return bufptr - buffer;
472 }
473
474 /* Format to an unbounded buffer BUF. This is like sprintf, except it
475 is not limited to returning an 'int' so it doesn't have a silly 2
476 GiB limit on typical 64-bit hosts. However, it is limited to the
477 Emacs-style formats that doprnt supports.
478
479 Return the number of bytes put into BUF, excluding the terminating
480 '\0'. */
481 ptrdiff_t
482 esprintf (char *buf, char const *format, ...)
483 {
484 ptrdiff_t nbytes;
485 va_list ap;
486 va_start (ap, format);
487 nbytes = doprnt (buf, TYPE_MAXIMUM (ptrdiff_t), format, 0, ap);
488 va_end (ap);
489 return nbytes;
490 }
491
492 #if defined HAVE_X_WINDOWS && defined USE_X_TOOLKIT
493
494 /* Format to buffer *BUF of positive size *BUFSIZE, reallocating *BUF
495 and updating *BUFSIZE if the buffer is too small, and otherwise
496 behaving line esprintf. When reallocating, free *BUF unless it is
497 equal to NONHEAPBUF, and if BUFSIZE_MAX is nonnegative then signal
498 memory exhaustion instead of growing the buffer size past
499 BUFSIZE_MAX. */
500 ptrdiff_t
501 exprintf (char **buf, ptrdiff_t *bufsize,
502 char const *nonheapbuf, ptrdiff_t bufsize_max,
503 char const *format, ...)
504 {
505 ptrdiff_t nbytes;
506 va_list ap;
507 va_start (ap, format);
508 nbytes = evxprintf (buf, bufsize, nonheapbuf, bufsize_max, format, ap);
509 va_end (ap);
510 return nbytes;
511 }
512
513 #endif
514
515 /* Act like exprintf, except take a va_list. */
516 ptrdiff_t
517 evxprintf (char **buf, ptrdiff_t *bufsize,
518 char const *nonheapbuf, ptrdiff_t bufsize_max,
519 char const *format, va_list ap)
520 {
521 for (;;)
522 {
523 ptrdiff_t nbytes;
524 va_list ap_copy;
525 va_copy (ap_copy, ap);
526 nbytes = doprnt (*buf, *bufsize, format, 0, ap_copy);
527 va_end (ap_copy);
528 if (nbytes < *bufsize - 1)
529 return nbytes;
530 if (*buf != nonheapbuf)
531 xfree (*buf);
532 *buf = xpalloc (NULL, bufsize, 1, bufsize_max, 1);
533 }
534 }
Unnamed repository; edit this file 'description' to name the repository.