1 #include "stdio_impl.h"
2 #include <errno.h>
3 #include <ctype.h>
4 #include <limits.h>
5 #include <string.h>
6 #include <stdarg.h>
7 #include <stddef.h>
8 #include <stdlib.h>
9 #include <wchar.h>
10 #include <inttypes.h>
11 
12 /* Convenient bit representation for modifier flags, which all fall
13  * within 31 codepoints of the space character. */
14 
15 #define ALT_FORM   (1U<<'#'-' ')
16 #define ZERO_PAD   (1U<<'0'-' ')
17 #define LEFT_ADJ   (1U<<'-'-' ')
18 #define PAD_POS    (1U<<' '-' ')
19 #define MARK_POS   (1U<<'+'-' ')
20 #define GROUPED    (1U<<'\''-' ')
21 
22 #define FLAGMASK (ALT_FORM|ZERO_PAD|LEFT_ADJ|PAD_POS|MARK_POS|GROUPED)
23 
24 /* State machine to accept length modifiers + conversion specifiers.
25  * Result is 0 on failure, or an argument type to pop on success. */
26 
27 enum {
28 	BARE, LPRE, LLPRE, HPRE, HHPRE, BIGLPRE,
29 	ZTPRE, JPRE,
30 	STOP,
31 	PTR, INT, UINT, ULLONG,
32 	LONG, ULONG,
33 	SHORT, USHORT, CHAR, UCHAR,
34 	LLONG, SIZET, IMAX, UMAX, PDIFF, UIPTR,
35 	DBL, LDBL,
36 	NOARG,
37 	MAXSTATE
38 };
39 
40 #define S(x) [(x)-'A']
41 
42 static const unsigned char states[]['z'-'A'+1] = {
43 	{ /* 0: bare types */
44 		S('d') = INT, S('i') = INT,
45 		S('o') = UINT, S('u') = UINT, S('x') = UINT, S('X') = UINT,
46 		S('e') = DBL, S('f') = DBL, S('g') = DBL, S('a') = DBL,
47 		S('E') = DBL, S('F') = DBL, S('G') = DBL, S('A') = DBL,
48 		S('c') = CHAR, S('C') = INT,
49 		S('s') = PTR, S('S') = PTR, S('p') = UIPTR, S('n') = PTR,
50 		S('m') = NOARG,
51 		S('l') = LPRE, S('h') = HPRE, S('L') = BIGLPRE,
52 		S('z') = ZTPRE, S('j') = JPRE, S('t') = ZTPRE,
53 	}, { /* 1: l-prefixed */
54 		S('d') = LONG, S('i') = LONG,
55 		S('o') = ULONG, S('u') = ULONG, S('x') = ULONG, S('X') = ULONG,
56 		S('e') = DBL, S('f') = DBL, S('g') = DBL, S('a') = DBL,
57 		S('E') = DBL, S('F') = DBL, S('G') = DBL, S('A') = DBL,
58 		S('c') = INT, S('s') = PTR, S('n') = PTR,
59 		S('l') = LLPRE,
60 	}, { /* 2: ll-prefixed */
61 		S('d') = LLONG, S('i') = LLONG,
62 		S('o') = ULLONG, S('u') = ULLONG,
63 		S('x') = ULLONG, S('X') = ULLONG,
64 		S('n') = PTR,
65 	}, { /* 3: h-prefixed */
66 		S('d') = SHORT, S('i') = SHORT,
67 		S('o') = USHORT, S('u') = USHORT,
68 		S('x') = USHORT, S('X') = USHORT,
69 		S('n') = PTR,
70 		S('h') = HHPRE,
71 	}, { /* 4: hh-prefixed */
72 		S('d') = CHAR, S('i') = CHAR,
73 		S('o') = UCHAR, S('u') = UCHAR,
74 		S('x') = UCHAR, S('X') = UCHAR,
75 		S('n') = PTR,
76 	}, { /* 5: L-prefixed */
77 		S('e') = LDBL, S('f') = LDBL, S('g') = LDBL, S('a') = LDBL,
78 		S('E') = LDBL, S('F') = LDBL, S('G') = LDBL, S('A') = LDBL,
79 		S('n') = PTR,
80 	}, { /* 6: z- or t-prefixed (assumed to be same size) */
81 		S('d') = PDIFF, S('i') = PDIFF,
82 		S('o') = SIZET, S('u') = SIZET,
83 		S('x') = SIZET, S('X') = SIZET,
84 		S('n') = PTR,
85 	}, { /* 7: j-prefixed */
86 		S('d') = IMAX, S('i') = IMAX,
87 		S('o') = UMAX, S('u') = UMAX,
88 		S('x') = UMAX, S('X') = UMAX,
89 		S('n') = PTR,
90 	}
91 };
92 
93 #define OOB(x) ((unsigned)(x)-'A' > 'z'-'A')
94 
95 union arg
96 {
97 	uintmax_t i;
98 	long double f;
99 	void *p;
100 };
101 
pop_arg(union arg * arg,int type,va_list * ap)102 static void pop_arg(union arg *arg, int type, va_list *ap)
103 {
104 	switch (type) {
105 	       case PTR:	arg->p = va_arg(*ap, void *);
106 	break; case INT:	arg->i = va_arg(*ap, int);
107 	break; case UINT:	arg->i = va_arg(*ap, unsigned int);
108 	break; case LONG:	arg->i = va_arg(*ap, long);
109 	break; case ULONG:	arg->i = va_arg(*ap, unsigned long);
110 	break; case ULLONG:	arg->i = va_arg(*ap, unsigned long long);
111 	break; case SHORT:	arg->i = (short)va_arg(*ap, int);
112 	break; case USHORT:	arg->i = (unsigned short)va_arg(*ap, int);
113 	break; case CHAR:	arg->i = (signed char)va_arg(*ap, int);
114 	break; case UCHAR:	arg->i = (unsigned char)va_arg(*ap, int);
115 	break; case LLONG:	arg->i = va_arg(*ap, long long);
116 	break; case SIZET:	arg->i = va_arg(*ap, size_t);
117 	break; case IMAX:	arg->i = va_arg(*ap, intmax_t);
118 	break; case UMAX:	arg->i = va_arg(*ap, uintmax_t);
119 	break; case PDIFF:	arg->i = va_arg(*ap, ptrdiff_t);
120 	break; case UIPTR:	arg->i = (uintptr_t)va_arg(*ap, void *);
121 	break; case DBL:	arg->f = va_arg(*ap, double);
122 	break; case LDBL:	arg->f = va_arg(*ap, long double);
123 	}
124 }
125 
out(FILE * f,const wchar_t * s,size_t l)126 static void out(FILE *f, const wchar_t *s, size_t l)
127 {
128 	while (l-- && !(f->flags & F_ERR)) fputwc(*s++, f);
129 }
130 
getint(wchar_t ** s)131 static int getint(wchar_t **s) {
132 	int i;
133 	for (i=0; iswdigit(**s); (*s)++) {
134 		if (i > INT_MAX/10U || **s-'0' > INT_MAX-10*i) i = -1;
135 		else i = 10*i + (**s-'0');
136 	}
137 	return i;
138 }
139 
140 static const char sizeprefix['y'-'a'] = {
141 ['a'-'a']='L', ['e'-'a']='L', ['f'-'a']='L', ['g'-'a']='L',
142 ['d'-'a']='j', ['i'-'a']='j', ['o'-'a']='j', ['u'-'a']='j', ['x'-'a']='j',
143 ['p'-'a']='j'
144 };
145 
wprintf_core(FILE * f,const wchar_t * fmt,va_list * ap,union arg * nl_arg,int * nl_type)146 static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_arg, int *nl_type)
147 {
148 	wchar_t *a, *z, *s=(wchar_t *)fmt;
149 	unsigned l10n=0, fl;
150 	int w, p, xp;
151 	union arg arg;
152 	int argpos;
153 	unsigned st, ps;
154 	int cnt=0, l=0;
155 	int i;
156 	int t;
157 	char *bs;
158 	char charfmt[16];
159 	wchar_t wc;
160 
161 	for (;;) {
162 		/* This error is only specified for snprintf, but since it's
163 		 * unspecified for other forms, do the same. Stop immediately
164 		 * on overflow; otherwise %n could produce wrong results. */
165 		if (l > INT_MAX - cnt) goto overflow;
166 
167 		/* Update output count, end loop when fmt is exhausted */
168 		cnt += l;
169 		if (!*s) break;
170 
171 		/* Handle literal text and %% format specifiers */
172 		for (a=s; *s && *s!='%'; s++);
173 		for (z=s; s[0]=='%' && s[1]=='%'; z++, s+=2);
174 		if (z-a > INT_MAX-cnt) goto overflow;
175 		l = z-a;
176 		if (f) out(f, a, l);
177 		if (l) continue;
178 
179 		if (iswdigit(s[1]) && s[2]=='$') {
180 			l10n=1;
181 			argpos = s[1]-'0';
182 			s+=3;
183 		} else {
184 			argpos = -1;
185 			s++;
186 		}
187 
188 		/* Read modifier flags */
189 		for (fl=0; (unsigned)*s-' '<32 && (FLAGMASK&(1U<<*s-' ')); s++)
190 			fl |= 1U<<*s-' ';
191 
192 		/* Read field width */
193 		if (*s=='*') {
194 			if (iswdigit(s[1]) && s[2]=='$') {
195 				l10n=1;
196 				nl_type[s[1]-'0'] = INT;
197 				w = nl_arg[s[1]-'0'].i;
198 				s+=3;
199 			} else if (!l10n) {
200 				w = f ? va_arg(*ap, int) : 0;
201 				s++;
202 			} else goto inval;
203 			if (w<0) fl|=LEFT_ADJ, w=-w;
204 		} else if ((w=getint(&s))<0) goto overflow;
205 
206 		/* Read precision */
207 		if (*s=='.' && s[1]=='*') {
208 			if (isdigit(s[2]) && s[3]=='$') {
209 				nl_type[s[2]-'0'] = INT;
210 				p = nl_arg[s[2]-'0'].i;
211 				s+=4;
212 			} else if (!l10n) {
213 				p = f ? va_arg(*ap, int) : 0;
214 				s+=2;
215 			} else goto inval;
216 			xp = (p>=0);
217 		} else if (*s=='.') {
218 			s++;
219 			p = getint(&s);
220 			xp = 1;
221 		} else {
222 			p = -1;
223 			xp = 0;
224 		}
225 
226 		/* Format specifier state machine */
227 		st=0;
228 		do {
229 			if (OOB(*s)) goto inval;
230 			ps=st;
231 			st=states[st]S(*s++);
232 		} while (st-1<STOP);
233 		if (!st) goto inval;
234 
235 		/* Check validity of argument type (nl/normal) */
236 		if (st==NOARG) {
237 			if (argpos>=0) goto inval;
238 		} else {
239 			if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos];
240 			else if (f) pop_arg(&arg, st, ap);
241 			else return 0;
242 		}
243 
244 		if (!f) continue;
245 		t = s[-1];
246 		if (ps && (t&15)==3) t&=~32;
247 
248 		switch (t) {
249 		case 'n':
250 			switch(ps) {
251 			case BARE: *(int *)arg.p = cnt; break;
252 			case LPRE: *(long *)arg.p = cnt; break;
253 			case LLPRE: *(long long *)arg.p = cnt; break;
254 			case HPRE: *(unsigned short *)arg.p = cnt; break;
255 			case HHPRE: *(unsigned char *)arg.p = cnt; break;
256 			case ZTPRE: *(size_t *)arg.p = cnt; break;
257 			case JPRE: *(uintmax_t *)arg.p = cnt; break;
258 			}
259 			continue;
260 		case 'c':
261 			if (w<1) w=1;
262 			if (w>1 && !(fl&LEFT_ADJ)) fprintf(f, "%*s", w-1, "");
263 			fputwc(btowc(arg.i), f);
264 			if (w>1 && (fl&LEFT_ADJ)) fprintf(f, "%*s", w-1, "");
265 			l = w;
266 			continue;
267 		case 'C':
268 			fputwc(arg.i, f);
269 			l = 1;
270 			continue;
271 		case 'S':
272 			a = arg.p;
273 			z = a + wcsnlen(a, p<0 ? INT_MAX : p);
274 			if (p<0 && *z) goto overflow;
275 			p = z-a;
276 			if (w<p) w=p;
277 			if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
278 			out(f, a, p);
279 			if ((fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
280 			l=w;
281 			continue;
282 		case 'm':
283 			arg.p = strerror(errno);
284 		case 's':
285 			if (!arg.p) arg.p = "(null)";
286 			bs = arg.p;
287 			for (i=l=0; l<(p<0?INT_MAX:p) && (i=mbtowc(&wc, bs, MB_LEN_MAX))>0; bs+=i, l++);
288 			if (i<0) return -1;
289 			if (p<0 && *bs) goto overflow;
290 			p=l;
291 			if (w<p) w=p;
292 			if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
293 			bs = arg.p;
294 			while (l--) {
295 				i=mbtowc(&wc, bs, MB_LEN_MAX);
296 				bs+=i;
297 				fputwc(wc, f);
298 			}
299 			if ((fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
300 			l=w;
301 			continue;
302 		}
303 
304 		if (xp && p<0) goto overflow;
305 		snprintf(charfmt, sizeof charfmt, "%%%s%s%s%s%s*.*%c%c",
306 			"#"+!(fl & ALT_FORM),
307 			"+"+!(fl & MARK_POS),
308 			"-"+!(fl & LEFT_ADJ),
309 			" "+!(fl & PAD_POS),
310 			"0"+!(fl & ZERO_PAD),
311 			sizeprefix[(t|32)-'a'], t);
312 
313 		switch (t|32) {
314 		case 'a': case 'e': case 'f': case 'g':
315 			l = fprintf(f, charfmt, w, p, arg.f);
316 			break;
317 		case 'd': case 'i': case 'o': case 'u': case 'x': case 'p':
318 			l = fprintf(f, charfmt, w, p, arg.i);
319 			break;
320 		}
321 	}
322 
323 	if (f) return cnt;
324 	if (!l10n) return 0;
325 
326 	for (i=1; i<=NL_ARGMAX && nl_type[i]; i++)
327 		pop_arg(nl_arg+i, nl_type[i], ap);
328 	for (; i<=NL_ARGMAX && !nl_type[i]; i++);
329 	if (i<=NL_ARGMAX) return -1;
330 	return 1;
331 
332 inval:
333 	errno = EINVAL;
334 	return -1;
335 overflow:
336 	errno = EOVERFLOW;
337 	return -1;
338 }
339 
vfwprintf(FILE * restrict f,const wchar_t * restrict fmt,va_list ap)340 int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
341 {
342 	va_list ap2;
343 	int nl_type[NL_ARGMAX] = {0};
344 	union arg nl_arg[NL_ARGMAX];
345 	int olderr;
346 	int ret;
347 
348 	/* the copy allows passing va_list* even if va_list is an array */
349 	va_copy(ap2, ap);
350 	if (wprintf_core(0, fmt, &ap2, nl_arg, nl_type) < 0) {
351 		va_end(ap2);
352 		return -1;
353 	}
354 
355 	FLOCK(f);
356 	fwide(f, 1);
357 	olderr = f->flags & F_ERR;
358 	f->flags &= ~F_ERR;
359 	ret = wprintf_core(f, fmt, &ap2, nl_arg, nl_type);
360 	if (f->flags & F_ERR) ret = -1;
361 	f->flags |= olderr;
362 	FUNLOCK(f);
363 	va_end(ap2);
364 	return ret;
365 }
366