1 /*
   2  * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 #ifndef SIZECALC_H
  27 #define SIZECALC_H
  28 
  29 /*
  30  * A machinery for safe calculation of sizes used when allocating memory.
  31  *
  32  * All size checks are performed against the SIZE_MAX (the maximum value for
  33  * size_t). All numerical arguments as well as the result of calculation must
  34  * be non-negative integers less than or equal to SIZE_MAX, otherwise the
  35  * calculated size is considered unsafe.
  36  *
  37  * If the SIZECALC_ALLOC_THROWING_BAD_ALLOC macro is defined, then _ALLOC_
  38  * helper macros throw the std::bad_alloc instead of returning NULL.
  39  */
  40 
  41 #include <stdint.h> /* SIZE_MAX for C99+ */
  42 /* http://stackoverflow.com/questions/3472311/what-is-a-portable-method-to-find-the-maximum-value-of-size-t */
  43 #ifndef SIZE_MAX
  44 #define SIZE_MAX ((size_t)-1)
  45 #endif
  46 
  47 #define IS_SAFE_SIZE_T(x) (((x) + 1) > 0 && (unsigned long long)(x) - 1u < SIZE_MAX)
  48 
  49 #define IS_SAFE_SIZE_MUL(m, n) \
  50     (IS_SAFE_SIZE_T(m) && IS_SAFE_SIZE_T(n) && ((m) == 0 || (n) == 0 || (size_t)(n) <= (SIZE_MAX / (size_t)(m))))
  51 
  52 #define IS_SAFE_SIZE_ADD(a, b) \
  53     (IS_SAFE_SIZE_T(a) && IS_SAFE_SIZE_T(b) && (size_t)(b) <= (SIZE_MAX - (size_t)(a)))
  54 
  55 
  56 
  57 /* Helper macros */
  58 
  59 #ifdef SIZECALC_ALLOC_THROWING_BAD_ALLOC
  60 #define FAILURE_RESULT throw std::bad_alloc()
  61 #else
  62 #define FAILURE_RESULT NULL
  63 #endif
  64 
  65 /*
  66  * A helper macro to safely allocate an array of size m*n.
  67  * Example usage:
  68  *    int* p = (int*)SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(int), n);
  69  *    if (!p) throw OutOfMemory;
  70  *    // Use the allocated array...
  71  */
  72 #define SAFE_SIZE_ARRAY_ALLOC(func, m, n) \
  73     (IS_SAFE_SIZE_MUL((m), (n)) ? ((func)((m) * (n))) : FAILURE_RESULT)
  74 
  75 #define SAFE_SIZE_ARRAY_REALLOC(func, p, m, n) \
  76     (IS_SAFE_SIZE_MUL((m), (n)) ? ((func)((p), (m) * (n))) : FAILURE_RESULT)
  77 
  78 /*
  79  * A helper macro to safely allocate an array of type 'type' with 'n' items
  80  * using the C++ new[] operator.
  81  * Example usage:
  82  *    MyClass* p = SAFE_SIZE_NEW_ARRAY(MyClass, n);
  83  *    // Use the pointer.
  84  * This macro throws the std::bad_alloc C++ exception to indicate
  85  * a failure.
  86  * NOTE: if 'n' is calculated, the calling code is responsible for using the
  87  * IS_SAFE_... macros to check if the calculations are safe.
  88  */
  89 #define SAFE_SIZE_NEW_ARRAY(type, n) \
  90     (IS_SAFE_SIZE_MUL(sizeof(type), (n)) ? (new type[(n)]) : throw std::bad_alloc())
  91 
  92 #define SAFE_SIZE_NEW_ARRAY2(type, n, m) \
  93     (IS_SAFE_SIZE_MUL((m), (n)) && IS_SAFE_SIZE_MUL(sizeof(type), (n) * (m)) ? \
  94      (new type[(n) * (m)]) : throw std::bad_alloc())
  95 
  96 /*
  97  * Checks if a data structure of size (a + m*n) can be safely allocated
  98  * w/o producing an integer overflow when calculating its size.
  99  */
 100 #define IS_SAFE_STRUCT_SIZE(a, m, n) \
 101     ( \
 102       IS_SAFE_SIZE_MUL((m), (n)) && IS_SAFE_SIZE_ADD((m) * (n), (a)) \
 103     )
 104 
 105 /*
 106  * A helper macro for implementing safe memory allocation for a data structure
 107  * of size (a + m * n).
 108  * Example usage:
 109  *    void * p = SAFE_SIZE_ALLOC(malloc, header, num, itemSize);
 110  *    if (!p) throw OutOfMemory;
 111  *    // Use the allocated memory...
 112  */
 113 #define SAFE_SIZE_STRUCT_ALLOC(func, a, m, n) \
 114     (IS_SAFE_STRUCT_SIZE((a), (m), (n)) ? ((func)((a) + (m) * (n))) : FAILURE_RESULT)
 115 
 116 
 117 #endif /* SIZECALC_H */
 118