From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>
Subject: [PULL 07/21] cutils: Fix wraparound parsing in qemu_strtoui
Date: Thu, 1 Jun 2023 17:02:51 -0500 [thread overview]
Message-ID: <20230601220305.2130121-8-eblake@redhat.com> (raw)
In-Reply-To: <20230601220305.2130121-1-eblake@redhat.com>
While we were matching 32-bit strtol in qemu_strtoi, our use of a
64-bit parse was leaking through for some inaccurate answers in
qemu_strtoui in comparison to a 32-bit strtoul (see the unit test for
examples). The comment for that function even described what we have
to do for a correct parse, but didn't implement it correctly: since
strtoull checks for overflow against the wrong values and then
negates, we have to temporarily undo negation before checking for
overflow against our desired value.
Our int wrappers would be a lot easier to write if libc had a
guaranteed 32-bit parser even on platforms with 64-bit long.
Whether we parse C2x binary strings like "0b1000" is currently up to
what libc does; our unit tests intentionally don't cover that at the
moment, though.
Fixes: 473a2a331e ("cutils: add qemu_strtoi & qemu_strtoui parsers for int/unsigned int types", v2.12.0)
Signed-off-by: Eric Blake <eblake@redhat.com>
CC: qemu-stable@nongnu.org
Message-Id: <20230522190441.64278-6-eblake@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
---
tests/unit/test-cutils.c | 20 +++++++++-----------
util/cutils.c | 25 +++++++++++++++++++------
2 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/tests/unit/test-cutils.c b/tests/unit/test-cutils.c
index 011123a2111..ce71900cb73 100644
--- a/tests/unit/test-cutils.c
+++ b/tests/unit/test-cutils.c
@@ -909,7 +909,7 @@ static void test_qemu_strtoui_hex(void)
static void test_qemu_strtoui_wrap(void)
{
- /* FIXME - wraparound should be consistent with 32-bit strtoul */
+ /* wraparound is consistent with 32-bit strtoul */
const char *str = "-4294967295"; /* 1 mod 2^32 */
char f = 'X';
const char *endptr = &f;
@@ -918,8 +918,8 @@ static void test_qemu_strtoui_wrap(void)
err = qemu_strtoui(str, &endptr, 0, &res);
- g_assert_cmpint(err, ==, -ERANGE /* FIXME 0 */);
- g_assert_cmphex(res, ==, UINT_MAX /* FIXME 1 */);
+ g_assert_cmpint(err, ==, 0);
+ g_assert_cmphex(res, ==, 1);
g_assert_true(endptr == str + strlen(str));
}
@@ -978,13 +978,12 @@ static void test_qemu_strtoui_overflow(void)
g_assert_cmpuint(res, ==, UINT_MAX);
g_assert_true(endptr == str + strlen(str));
- /* FIXME - overflow should be consistent with 32-bit strtoul */
str = "0xfffffffffffffffe"; /* ULLONG_MAX - 1 (not UINT_MAX - 1) */
endptr = "somewhere";
res = 999;
err = qemu_strtoui(str, &endptr, 0, &res);
- g_assert_cmpint(err, ==, 0 /* FIXME -ERANGE */);
- g_assert_cmpuint(res, ==, UINT_MAX - 1 /* FIXME UINT_MAX */);
+ g_assert_cmpint(err, ==, -ERANGE);
+ g_assert_cmpuint(res, ==, UINT_MAX);
g_assert_true(endptr == str + strlen(str));
str = "0x10000000000000000"; /* 65 bits, 32-bit sign bit clear */
@@ -1019,21 +1018,20 @@ static void test_qemu_strtoui_underflow(void)
g_assert_cmpuint(res, ==, UINT_MAX);
g_assert_true(endptr == str + strlen(str));
- /* FIXME - overflow should be consistent with 32-bit strtoul */
str = "-18446744073709551615"; /* -UINT64_MAX (not -(-1)) */
endptr = "somewhere";
res = 999;
err = qemu_strtoui(str, &endptr, 0, &res);
- g_assert_cmpint(err, ==, 0 /* FIXME -ERANGE */);
- g_assert_cmpuint(res, ==, 1 /* FIXME UINT_MAX */);
+ g_assert_cmpint(err, ==, -ERANGE);
+ g_assert_cmpuint(res, ==, UINT_MAX);
g_assert_true(endptr == str + strlen(str));
str = "-0xffffffff00000002";
endptr = "somewhere";
res = 999;
err = qemu_strtoui(str, &endptr, 0, &res);
- g_assert_cmpint(err, ==, 0 /* FIXME -ERANGE */);
- g_assert_cmpuint(res, ==, UINT_MAX - 1 /* FIXME UINT_MAX */);
+ g_assert_cmpint(err, ==, -ERANGE);
+ g_assert_cmpuint(res, ==, UINT_MAX);
g_assert_true(endptr == str + strlen(str));
str = "-0x10000000000000000"; /* 65 bits, 32-bit sign bit clear */
diff --git a/util/cutils.c b/util/cutils.c
index 5887e744140..9b6ce9179c4 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -391,6 +391,9 @@ static int check_strtox_error(const char *nptr, char *ep,
* and return -ERANGE.
*
* Else store the converted value in @result, and return zero.
+ *
+ * This matches the behavior of strtol() on 32-bit platforms, even on
+ * platforms where long is 64-bits.
*/
int qemu_strtoi(const char *nptr, const char **endptr, int base,
int *result)
@@ -443,13 +446,15 @@ int qemu_strtoi(const char *nptr, const char **endptr, int base,
*
* Note that a number with a leading minus sign gets converted without
* the minus sign, checked for overflow (see above), then negated (in
- * @result's type). This is exactly how strtoul() works.
+ * @result's type). This matches the behavior of strtoul() on 32-bit
+ * platforms, even on platforms where long is 64-bits.
*/
int qemu_strtoui(const char *nptr, const char **endptr, int base,
unsigned int *result)
{
char *ep;
- long long lresult;
+ unsigned long long lresult;
+ bool neg;
assert((unsigned) base <= 36 && base != 1);
if (!nptr) {
@@ -466,14 +471,22 @@ int qemu_strtoui(const char *nptr, const char **endptr, int base,
if (errno == ERANGE) {
*result = -1;
} else {
+ /*
+ * Note that platforms with 32-bit strtoul only accept input
+ * in the range [-4294967295, 4294967295]; but we used 64-bit
+ * strtoull which wraps -18446744073709551615 to 1 instead of
+ * declaring overflow. So we must check if '-' was parsed,
+ * and if so, undo the negation before doing our bounds check.
+ */
+ neg = memchr(nptr, '-', ep - nptr) != NULL;
+ if (neg) {
+ lresult = -lresult;
+ }
if (lresult > UINT_MAX) {
*result = UINT_MAX;
errno = ERANGE;
- } else if (lresult < INT_MIN) {
- *result = UINT_MAX;
- errno = ERANGE;
} else {
- *result = lresult;
+ *result = neg ? -lresult : lresult;
}
}
return check_strtox_error(nptr, ep, endptr, lresult == 0, errno);
--
2.40.1
next prev parent reply other threads:[~2023-06-01 22:06 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 22:02 [PULL 00/21] NBD and miscellaneous patches for 2023-06-01 Eric Blake
2023-06-01 22:02 ` [PULL 01/21] iotests: Fix test 104 under NBD Eric Blake
2023-06-01 22:02 ` [PULL 02/21] qcow2: Explicit mention of padding bytes Eric Blake
2023-06-01 22:02 ` [PULL 03/21] test-cutils: Avoid g_assert in unit tests Eric Blake
2023-06-01 22:02 ` [PULL 04/21] test-cutils: Use g_assert_cmpuint where appropriate Eric Blake
2023-06-01 22:02 ` [PULL 05/21] test-cutils: Test integral qemu_strto* value on failures Eric Blake
2023-06-01 22:02 ` [PULL 06/21] test-cutils: Test more integer corner cases Eric Blake
2023-06-02 12:34 ` Eric Blake
2023-06-01 22:02 ` Eric Blake [this message]
2023-06-03 8:17 ` [PULL 07/21] cutils: Fix wraparound parsing in qemu_strtoui Michael Tokarev
2023-06-05 13:32 ` Eric Blake
2023-06-01 22:02 ` [PULL 08/21] cutils: Document differences between parse_uint and qemu_strtou64 Eric Blake
2023-06-01 22:02 ` [PULL 09/21] cutils: Adjust signature of parse_uint[_full] Eric Blake
2023-06-02 6:16 ` Markus Armbruster
2023-06-02 12:22 ` Eric Blake
2023-06-01 22:02 ` [PULL 10/21] cutils: Allow NULL endptr in parse_uint() Eric Blake
2023-06-01 22:02 ` [PULL 11/21] test-cutils: Add coverage of qemu_strtod Eric Blake
2023-06-01 22:02 ` [PULL 12/21] test-cutils: Prepare for upcoming semantic change in qemu_strtosz Eric Blake
2023-06-01 22:02 ` [PULL 13/21] test-cutils: Refactor qemu_strtosz tests for less boilerplate Eric Blake
2023-06-01 22:02 ` [PULL 14/21] cutils: Allow NULL str in qemu_strtosz Eric Blake
2023-06-01 22:02 ` [PULL 15/21] numa: Check for qemu_strtosz_MiB error Eric Blake
2023-06-01 22:03 ` [PULL 16/21] test-cutils: Add more coverage to qemu_strtosz Eric Blake
2023-06-01 22:03 ` [PULL 17/21] cutils: Set value in all qemu_strtosz* error paths Eric Blake
2023-06-01 22:03 ` [PULL 18/21] cutils: Set value in all integral qemu_strto* " Eric Blake
2023-06-01 22:03 ` [PULL 19/21] cutils: Use parse_uint in qemu_strtosz for negative rejection Eric Blake
2023-06-01 22:03 ` [PULL 20/21] cutils: Improve qemu_strtod* error paths Eric Blake
2023-06-01 22:03 ` [PULL 21/21] cutils: Improve qemu_strtosz handling of fractions Eric Blake
2023-06-02 3:58 ` [PULL 00/21] NBD and miscellaneous patches for 2023-06-01 Richard Henderson
2023-06-02 12:27 ` Eric Blake
2023-06-02 6:32 ` Conclusion of yet another expensive UI folly (was: [PULL 00/21] NBD and miscellaneous patches for 2023-06-01) Markus Armbruster
2023-06-02 12:29 ` Eric Blake
2023-06-02 13:02 ` Conclusion of yet another expensive UI folly Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230601220305.2130121-8-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).