safec 3.9
Safe C Library - ISO TR24731 Bounds Checking Interface
|
#include "safe_config.h"
#include "safe_lib_errno.h"
#include "safe_types.h"
#include "safe_compile.h"
#include <time.h>
Macros | |
#define | EXTERN extern |
#define | sl_default_handler ignore_handler_s |
#define | TMP_MAX_S 308915776 |
#define | L_tmpnam_s 1024 |
#define | tmpnam_s(dest, dmax) |
Creates a unique valid file name (no longer than L_tmpnam in length) and stores it in character string pointed to by filename. | |
#define | gets_s(dest, dmax) |
The gets_s function reads characters from stdin until a newline is found or end-of-file occurs. | |
#define | asctime_s(dest, dmax, tm) |
The asctime_s function converts the given calendar time tm to a textual representation of the following fixed 25-character form: "Www Mmm dd hh:mm:ss yyyy\n" , as with asctime. | |
#define | ctime_s(dest, dmax, timer) |
The ctime_s function converts the given time since epoch to a calendar local time and then to a textual representation, as if by calling asctime_s(buffer, bufsz, localtime_s(time, &(struct tm){0})) . | |
#define | getenv_s(len, dest, dmax, name) |
The getenv_s function searches for an environmental variable with name name in the host-specified environment list and returns a pointer to the string that is associated with the matched environment variable. | |
#define | bsearch_s(key, base, nmemb, size, compar, context) |
The bsearch_s function finds an element equal to element pointed to by key in an array pointed to by base. | |
#define | qsort_s(base, nmemb, size, compar, context) |
The qsort_s function sorts the given array pointed to by base in ascending order. | |
Functions | |
EXTERN void | abort_handler_s (const char *restrict msg, void *restrict ptr, errno_t error) |
This function writes a message on the standard error stream in an implementation-defined format. | |
EXTERN void | ignore_handler_s (const char *restrict msg, void *restrict ptr, errno_t error) |
This function simply returns to the caller. | |
EXTERN errno_t | _tmpnam_s_chk (const char *dest, rsize_t dmax, const size_t destbos) BOS_OVR2Z(dest |
EXTERN char * | _gets_s_chk (char *dest, rsize_t dmax, const size_t destbos) BOS_CHK(dest) |
EXTERN errno_t | tmpfile_s (FILE *restrict *restrict streamptr) |
The tmpfile_s function creates a temporary binary file that is different from any other existing file and that will automatically be removed when it is closed or at program termination. | |
EXTERN errno_t | fopen_s (FILE *restrict *restrict streamptr, const char *restrict filename, const char *restrict mode) |
The fopen_s function opens a file indicated by filename and updates the pointer to the file stream associated with that file. | |
EXTERN errno_t | freopen_s (FILE *restrict *restrict newstreamptr, const char *restrict filename, const char *restrict mode, FILE *restrict stream) |
The freopen_s function first, attempts to close the file associated with the stream, ignoring any errors. | |
EXTERN errno_t | _asctime_s_chk (char *dest, rsize_t dmax, const struct tm *tm, const size_t destbos) BOS_CHK(dest) BOS_ATTR(dmax< 26 |
EXTERN errno_t dmax underflow | BOS_NULL (tm) |
EXTERN errno_t | _ctime_s_chk (char *dest, rsize_t dmax, const time_t *timer, const size_t destbos) BOS_CHK(dest) BOS_ATTR(dmax< 26 |
EXTERN errno_t dmax underflow | BOS_NULL (timer) |
EXTERN struct tm * | gmtime_s (const time_t *restrict timer, struct tm *restrict dest) BOS_NULL(timer) BOS_NULL(dest) |
The gmtime_s function converts the given time since epoch to a calendar time, expressed in Coordinated Universal Time (UTC) in the struct tm format. | |
EXTERN struct tm * | localtime_s (const time_t *restrict timer, struct tm *restrict dest) BOS_NULL(timer) BOS_NULL(dest) |
The localtime_s function converts the given time since epoch to a calendar time, expressed in the current timezone in the struct tm format. | |
EXTERN errno_t | _getenv_s_chk (size_t *restrict len, char *restrict dest, rsize_t dmax, const char *restrict name, const size_t destbos) BOS_CHK_BUTZERO(dest |
EXTERN errno_t dmax | BOS_ATTR (_BOS_NULL(name), "empty name") |
EXTERN void * | _bsearch_s_chk (const void *key, const void *base, rsize_t nmemb, rsize_t size, int(*compar)(const void *k, const void *y, void *context), void *context, const size_t basebos) BOS_ATTR(nmemb &&(_BOS_NULL(key)||_BOS_NULL(base)||_BOS_ZERO(base |
EXTERN void nmemb empty buf or bufsize | BOS_OVR2_BUTNULL (base, nmemb *size) BOS_ATTR(nmemb &&!compar |
EXTERN errno_t | _qsort_s_chk (void *base, rsize_t nmemb, rsize_t size, int(*compar)(const void *x, const void *y, void *context), void *context, const size_t basebos) BOS_ATTR(nmemb &&(_BOS_NULL(base)||_BOS_ZERO(base |
Variables | |
EXTERN errno_t | dmax |
EXTERN void nmemb * | size |
EXTERN void nmemb empty buf or bufsize empty | compar |
#define EXTERN extern |
#define sl_default_handler ignore_handler_s |
#define TMP_MAX_S 308915776 |
#define L_tmpnam_s 1024 |
Creates a unique valid file name (no longer than L_tmpnam in length) and stores it in character string pointed to by filename.
The function is capable of generating up to TMP_MAX_S of unique filenames, but some or all of them may be in use in the filesystem and thus not suitable return values.
[out] | dest | pointer to the string capable of holding at least L_tmpnam_s bytes, to be used as a result buffer. |
[in] | dmax | maximum number of characters the function is allowed to write (typically the size of the dest buffer). |
EOK | on success |
ESNULLP | when dest is a NULL pointer |
ESZEROL | when dmax = 0 |
ESLEMAX | when dmax > RSIZE_MAX_STR or more than TMP_MAX_S files were opened. |
EOVERFLOW | when dmax > size of dest (optionally, when the compiler knows the object_size statically) |
ESLEWRNG | when dmax != size of dest and –enable-error-dmax |
errno() | when tmpnam() failed, typically -ENOENT |
POSIX systems additionally define the similarly named function tempnam(), which offers the choice of a directory (which defaults to the optionally defined macro P_tmpdir).
The gets_s
function reads characters from stdin until a newline is found or end-of-file occurs.
Writes only at most dmax characters into the array pointed to by str, and always writes the terminating null character.
Note that C11 allows only writing dmax-1 character. We need to work with the system fgets() passing it dmax+1. In any case, gets_s first finishes reading and discarding the characters from stdin until new-line character, end-of-file condition, or read error before calling the constraint handler. With SAFECLIB_STR_NULL_SLACK the rest of dmax is cleared with NULL bytes, without all elements following the terminating NUL character (if any) written by gets_s in the array of dmax characters pointed to by dest take unspecified values when gets_s returns.
[out] | dest | character string to be written. If the resulting concatenated string is less than dmax, the remaining slack space is nulled. |
[in] | dmax | restricted maximum length of the resulting dest, including the null. it may temp. write dmax+1, but always return max dmax. |
int | >0 when on successful operation, all the characters from src were appended to dest and the result in dest is null terminated. |
errno=ESNULLP | when dest is a NULL pointer |
errno=ESZEROL | when dmax = 0 |
errno=ESLEMAX | when dmax > RSIZE_MAX_STR |
errno=EOVERFLOW | when dmax > size of dest |
errno=ESUNTERM | endline or eof not encountered after storing dmax-1 characters to dest. |
The asctime_s
function converts the given calendar time tm
to a textual representation of the following fixed 25-character form: "Www Mmm dd hh:mm:ss yyyy\n"
, as with asctime.
The message is copied into user-provided dest
buffer, which is guaranteed to be null-terminated.
No more than dmax-1 bytes are written, the buffer is always null-terminated. Uses the re-entrant asctime_r()
if available.
[out] | dest | pointer to a user-provided buffer. |
[in] | dmax | restricted maximum length of dest |
[in] | tm | pointer to a tm object specifying the time to print |
EOK | on success |
ESNULLP | when dest or tm is a NULL pointer |
ESLEMIN | when dmax < 26 or a tm member is too small |
ESLEMAX | when dmax > RSIZE_MAX_STR or a tm member is too large |
EOVERFLOW | when dmax > size of dest (optionally, when the compiler knows the object_size statically) |
ESLEWRNG | when dmax != size of dest and –enable-error-dmax |
ESNOSPC | when dmax is too small for the result buffer |
-1 | when asctime_r or asctime returned NULL |
The ctime_s
function converts the given time since epoch to a calendar local time and then to a textual representation, as if by calling asctime_s(buffer, bufsz, localtime_s(time, &(struct tm){0}))
.
The message is copied into the user-provided dest
buffer, which is guaranteed to be null-terminated.
No more than dmax-1 bytes are written, the buffer is always null-terminated. The function does not support localization. Uses the re-entrant ctime_r()
if available.
[out] | dest | pointer to a user-provided string buffer. |
[in] | dmax | restricted maximum length of dest |
[in] | timer | pointer to a epoch (long, seconds since 1970) |
EOK | on success |
ESNULLP | when dest or tm is a NULL pointer |
ESLEMIN | when dmax < 26 or *timer < 0 |
ESLEMAX | when dmax > RSIZE_MAX_STR. Or when *timer > 313360441200L, the year 10000, resp. LONG_MAX on 32bit systems. |
EOVERFLOW | when dmax > size of dest (optionally, when the compiler knows the object_size statically) |
ESLEWRNG | when dmax != size of dest and –enable-error-dmax |
ESNOSPC | when dmax is too small for the result buffer |
-1 | when ctime_r or ctime returned NULL |
The getenv_s
function searches for an environmental variable with name name in the host-specified environment list and returns a pointer to the string that is associated with the matched environment variable.
The set of environmental variables and methods of altering it are implementation-defined. The value of the environment variable is written to the user-provided buffer value (unless null) and the number of bytes written is stored in the user-provided location *len (unless null). If the environment variable is not set in the environment, zero is written to *len (unless null) and '\0' is written to value[0] (unless null). With SAFECLIB_STR_NULL_SLACK defined all elements following the terminating NUL character (if any) written in the array of dmax characters pointed to by dest are nulled. If secure_getenv()
is available, it is used.
[out] | len | pointer to a size_t where getenv_s will store the length of the found environment variable. Might be NULL. Note that on Microsoft Windows we return len+1, the size of the buffer, including the terminating NUL, to match the wrong getenv_s implementation und usages in the wild there. |
[out] | dest | pointer to a string where getenv_s will store the contents of the found environment variable. Might be NULL. |
[in] | dmax | maximum number of characters that getenv_s is allowed to write to dest (size of the buffer). Might be 0. |
[in] | name | null-terminated character string identifying the name of the environmental variable to look for. |
EOK | on success |
ESNULLP | when name is a NULL pointer |
ESLEMAX | when dmax > RSIZE_MAX_STR |
EOVERFLOW | when dmax > size of dest (optionally, when the compiler knows the object_size statically) |
ESLEWRNG | when dmax != sizeof(dest) and –enable-error-dmax |
ESNOSPC | when dmax is too small for the value |
-1 | when not found |
The bsearch_s
function finds an element equal to element pointed to by key in an array pointed to by base.
The array contains count elements of size bytes and must be partitioned with respect to key, that is, all the elements that compare less than must appear before all the elements that compare equal to, and those must appear before all the elements that compare greater than the key object. A fully sorted array satisfies these requirements. The elements are compared using function pointed to by comp. The behavior is undefined if the array is not already partitioned with respect to *key in ascending order according to the same criterion that compar uses.
[in] | key | pointer to the element to search for |
[in] | base | pointer to the array to examine |
[in] | nmemb | number of elements in the array |
[in] | size | size of each element in the array in bytes |
[in] | compar | comparison function which returns a negative integer value if the first argument is less than the second, a positive integer value if the first argument is greater than the second and zero if the arguments are equal. key is passed as the first argument, an element from the array as the second. The signature of the comparison function should be equivalent to the following: int cmp(const void *a, const void *b); The function must not modify the objects passed to it and must return consistent results when called for the same objects, regardless of their positions in the array. |
[in] | context | additional information (e.g., collating sequence), passed to compar as the third argument |
If the array contains several elements that compar would indicate as equal to the element searched for, then it is unspecified which element the function will return as the result.
NULL | when not found or any error |
errno values: ESNULLP when key, base or compar are a NULL pointer, and nmemb is > 0 ESLEMAX when nmemb or size > RSIZE_MAX_MEM ESNOSPC when nmemb * size > sizeof base
The qsort_s
function sorts the given array pointed to by base in ascending order.
The array contains nmemb elements of size bytes. Function pointed to by compar is used for object comparison.
[in] | base | pointer to the array to sort |
[in] | nmemb | number of elements in the array |
[in] | size | size of each element in the array in bytes |
[in] | compar | comparison function which returns a negative integer value if the first argument is less than the second, a positive integer value if the first argument is greater than the second and zero if the arguments are equal. key is passed as the first argument, an element from the array as the second. The signature of the comparison function should be equivalent to the following: int cmp(const void *a, const void *b, const void *context); The function must not modify the objects passed to it and must return consistent results when called for the same objects, regardless of their positions in the array. |
[in] | context | additional information (e.g., collating sequence), passed to compar as the third argument |
If comp indicates two elements as equivalent, their order in the resulting sorted array is unspecified.
qsort_s
does not treat arrays of zero size as a runtime constraint violation and instead returns successfully without altering the array (the other function that accepts arrays of zero size is bsearch_s
). Until qsort_s
, users of qsort
often used global variables to pass additional context to the comparison function.This function is available under windows with a different API, no return type, and is not available with safeclib.
EOK | when operation is successful |
-ESNULLP | when base * compar is NULL pointer and nmemb > 0 |
-ESLEMAX | when nmemb or size > RSIZE_MAX_MEM |
-ESNOSPC | when nmemb*size > sizeof base |
This function writes a message on the standard error stream in an implementation-defined format.
The message shall include the string pointed to by msg. The abort_handler_s function then calls the abort function.
[in] | msg | Pointer to the message describing the error |
[in] | ptr | Pointer to aassociated data. Can be NULL. |
[in] | error | The error code encountered. |
This function simply returns to the caller.
[in] | msg | Pointer to the message describing the error |
[in] | ptr | Pointer to aassociated data. Can be NULL. |
[in] | error | The error code encountered. |
The tmpfile_s
function creates a temporary binary file that is different from any other existing file and that will automatically be removed when it is closed or at program termination.
If the program terminates abnormally, whether an open temporary file is removed is implementation-defined. The file is opened for update with "wb+" mode with the meaning that mode has in the fopen_s
function (including the mode’s effect on exclusive access and file permissions).
streamptr | pointer to a pointer that will be updated by this function call |
If the file was created successfully, then the pointer to FILE pointed to by streamptr will be set to the pointer to the object controlling the opened file. Otherwise, the pointer to FILE pointed to by streamptr will be set to a null pointer.
EOK | on success |
ESNULLP | when streamptr is a NULL pointer |
ESLEMAX | when more than TMP_MAX_S files were opened. |
errno() | when tmpfile() failed, typically ENOENT or EACCES |
EXTERN errno_t fopen_s | ( | FILE *restrict *restrict | streamptr, |
const char *restrict | filename, | ||
const char *restrict | mode ) |
The fopen_s
function opens a file indicated by filename and updates the pointer to the file stream associated with that file.
mode is used to determine the file access mode.
[out] | streamptr | pointer to a FILE stream that will be updated by this function call |
[in] | filename | |
[in] | mode | as in fopen |
If the file was created successfully, then the pointer to the FILE pointed to by streamptr will be set to the pointer to the object controlling the opened file. Otherwise, the pointer to the FILE pointed to by streamptr will be set to a null pointer.
EOK | on success |
ESNULLP | when any argument is a NULL pointer |
> | 0 any other errno |
EXTERN errno_t freopen_s | ( | FILE *restrict *restrict | newstreamptr, |
const char *restrict | filename, | ||
const char *restrict | mode, | ||
FILE *restrict | stream ) |
The freopen_s
function first, attempts to close the file associated with the stream, ignoring any errors.
Then, if filename is not null, attempts to open the file specified by filename using mode as if by fopen, and associates that file with the file stream pointed to by stream. If filename is a null pointer, then the function attempts to reopen the file that is already associated with stream (it is implementation defined which mode changes are allowed in this case).
[out] | newstreamptr | pointer to a FILE stream that will be updated by this function call |
[in] | filename | file name to associate the file stream to |
[in] | mode | as in fopen |
[in] | stream | the file stream to modify |
If the file was reopened successfully, then the pointer to the FILE pointed to by newstreamptr will be set to the pointer to the object controlling the opened file. Otherwise, the pointer to the FILE pointed to by newstreamptr will be set to a null pointer.
EOK | on success |
ESNULLP | when any argument is a NULL pointer |
> | 0 any other errno |
EXTERN errno_t _asctime_s_chk | ( | char * | dest, |
rsize_t | dmax, | ||
const struct tm * | tm, | ||
const size_t | destbos ) |
EXTERN errno_t _ctime_s_chk | ( | char * | dest, |
rsize_t | dmax, | ||
const time_t * | timer, | ||
const size_t | destbos ) |
EXTERN struct tm * gmtime_s | ( | const time_t *restrict | timer, |
struct tm *restrict | dest ) |
The gmtime_s
function converts the given time since epoch to a calendar time, expressed in Coordinated Universal Time (UTC) in the struct tm format.
The result is copied into the user-provided tm struct.
[in] | timer | pointer to a epoch (long, seconds since 1970) |
[out] | dest | pointer to a user-provided struct tm. |
POSIX requires that this function sets errno to EOVERFLOW if it fails because the argument is too large. POSIX defines a thread-safe alternative gmtime_r, which is similar to the C11 function gmtime_s, except that it does not check the validity of its input parameters.
This function is available under windows with a different API, reversed argument order, and is not available with safeclib.
EXTERN struct tm * localtime_s | ( | const time_t *restrict | timer, |
struct tm *restrict | dest ) |
The localtime_s
function converts the given time since epoch to a calendar time, expressed in the current timezone in the struct tm format.
The result is copied into the user-provided tm struct.
[in] | timer | pointer to a epoch (long, seconds since 1970) |
[out] | dest | pointer to a user-provided struct tm. |
POSIX requires that this function sets errno to EOVERFLOW if it fails because the argument is too large. POSIX defines a thread-safe alternative localtime_r, which is similar to the C11 function localtime_s, except that it does not check the validity of its input parameters.
This function is available under windows with a different API, reversed argument order, and is not available with safeclib.
EXTERN errno_t _getenv_s_chk | ( | size_t *restrict | len, |
char *restrict | dest, | ||
rsize_t | dmax, | ||
const char *restrict | name, | ||
const size_t | destbos ) |
EXTERN void * _bsearch_s_chk | ( | const void * | key, |
const void * | base, | ||
rsize_t | nmemb, | ||
rsize_t | size, | ||
int(* | compar )(const void *k, const void *y, void *context), | ||
void * | context, | ||
const size_t | basebos ) && |
EXTERN errno_t _qsort_s_chk | ( | void * | base, |
rsize_t | nmemb, | ||
rsize_t | size, | ||
int(* | compar )(const void *x, const void *y, void *context), | ||
void * | context, | ||
const size_t | basebos ) && |