Strona główna Odkrywaj Pomoc
Zaloguj się
ariadne
/
shttpd
Obserwuj 1
Polub 0
Forkuj 0
Pliki Problemy 7 Oczekujące zmiany 0 Wiki
Drzewo: 3ad28c4ba8
Gałęzie Tagi
shttpd
/
buffer
/
lex.c

lex.c 4.4 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 
  1. // SPDX-License-Identifier: GPL-2.0 or GPL-3.0
    2. 

  2. // Copyright © 2019 Ariadne Devos
    3. 

  3. /* sHT -- find lexeme boundaries */
    4. 

  4. 

  5. #include <sHT/bitvec.h>
    6. 

  6. #include <sHT/index.h>
    7. 

  7. #include <sHT/lex.h>
    8. 

  8. #include <sHT/string.h>
    9. 

  9. #include <sHT/taint.h>
    10. 

  10. #include <sHT/test.h>
    11. 

  11. 

  12. size_t
    13. 

  13. sHT_lex(struct sHT_lex_buf *to, const unsigned char from[], size_t n, const struct sHT_lex_type *c)
    14. 

  14. {
    15. 

  15. 	/* The current offset into @var{from}. (Set later). */
    16. 

  16. 	size_t i;
    17. 

  17. 	/* The old number of accumulated bytes,
    18. 

  18. 	   therefore, the index into @var{to->bytes} to start writing to. */
    19. 

  19. 	size_t offset = to->offset;
    20. 

  20. 	/* The following loop: iterate over the bytes of @var{from}, to
    21. 

  21. 	  validate their syntax and copy them -- and process a fragment when
    22. 

  22. 	  complete. However, not all bytes, as only @code{c->max_known} are
    23. 

  23. 	  allocated.
    24. 

  24. 

  25. 	  @var{offset}: data from previous runs is remembered. */
    26. 

  26. 	/* Underflow 1: `sHT_lex_buf` invariant (`offset` < `max_known`) */
    27. 

  27. 	size_t todo = sHT_min_size(n, c->max_known - offset);
    28. 

  28. 	/* Induct over byte locations, until a space character, a syntax error
    29. 

  29. 	  or the method is found to be too long to be known. */
    30. 

  30. 	/* (1) `n` > 0 (`sHT_lex` precondition)
    31. 

  31. 	  (1) => (2) 0 < `n`
    32. 

  32. 	  (3) `offset` < `max_known` (`sHT_lex_buf` invariant)
    33. 

  33. 	  (3) => (4) 0 < `max_known` - `offset`
    34. 

  34. 	  (2, 4) => (5) 0 < min(`n`, `max_known` - `offset`)
    35. 

  35. 	  (5): QED `sHT_index_iterate` positivity (TODO: do ... while loop) */
    36. 

  36. 

  37. 	/* Invariant: byte `offset` to `offset` + `i` (exclusive) of
    38. 

  38. 	  @code{buf->bytes} are set. Base case: trivial. */
    39. 

  39. 	sHT_index_iterate(i, todo) {
    40. 

  40. 		/* If zero @var{n} were allowed, this would be out of bounds */
    41. 

  41. 		/* (1) i < todo (@var{sHT_index_iterate})
    42. 

  42. 		  (2) todo <= n (@var{sHT_min_size})
    43. 

  43. 		  (1, 2) => i < n
    44. 

  44. 		  QED @var{from} length */
    45. 

  45. 		uint8_t b = from[i];
    46. 

  46. 		/* (1) i < todo (@var{sHT_index_iterate})
    47. 

  47. 		  (2) todo <= max_known - offset (@var{sHT_min_size})
    48. 

  48. 		  (1, 2) => (3) i < max_known - offset
    49. 

  49. 		  (3) => offset + i < max_known
    50. 

  50. 		  QED @var{to} capacity.
    51. 

  51. 

  52. 		  QED induction step (is set). */
    53. 

  53. 		to->bytes[offset + i] = b;
    54. 

  54. 		if (sHT_bit_test(c->c_allow, b)) {
    55. 

  55. 			/* Correct byte, but not a terminator.
    56. 

  56. 			  Continue the search. */
    57. 

  57. 			continue;
    58. 

  58. 		}
    59. 

  59. 		/* Non-speculatively, @var{b} is not one of the allowed
    60. 

  60. 		  bytes. Either it is the terminator, or a syntax error.
    61. 

  61. 		  Which one? (0: syntax error, 1: terminator)*/
    62. 

  62. 		int which = sHT_eq_bool(c->c_stop, b);
    63. 

  63. 		/* Not used anymore; taint for analysis */
    64. 

  64. 		sHT_taint(&to->offset);
    65. 

  65. 		/* +1: also count the terminating byte
    66. 

  66. 		  (<tests/lex.c> found this bug)
    67. 

  67. 

  68. 		  (1) i < todo (@var{sHT_index_iterate}),
    69. 

  69. 		  (2) todo <= n (@var{sHT_index_iterate})
    70. 

  70. 		  (1, 2) => (3) i < n.
    71. 

  71. 		  (3) => (4) i + 1 <= n
    72. 

  72. 		  QED bounds last argument
    73. 

  73. 

  74. 		  (1) i < todo (@var{sHT_index_iterate}),
    75. 

  75. 		  (2) todo <= max_known - offset (@var{sHT_min_size})
    76. 

  76. 		  (1, 2) => (3) i <= max_known - offset
    77. 

  77. 		  (3) => (4) offset + i <= max_known
    78. 

  78. 

  79. 		  QED length/index bounds */
    80. 

  80. 		return c->cb_value[which](to, offset + i, i + 1);
    81. 

  81. 	}
    82. 

  82. 

  83. 	/* Compare the number of running total of tested bytes with the
    84. 

  84. 	  maximal known lexeme length. If it the former begins to equal
    85. 

  85. 	  the latter, there is no point in copying anymore, but the
    86. 

  86. 	  syntax must still be validated. */
    87. 

  87. 	/* Overflow:
    88. 

  88. 

  89. 	  (1) i < todo (@var{sHT_index_iterate}),
    90. 

  90. 	  (2) todo <= max_known - offset (@var{sHT_min_size})
    91. 

  91. 	  (1, 2) => (3) i <= max_known - offset
    92. 

  92. 	  (3) => (4) offset + i <= max_known
    93. 

  93. 	  (5) `max_known` <= `SIZE_MAX` (typing)
    94. 

  94. 	  (3, 5) => `offset` + `i` <= `SIZE_MAX`
    95. 

  95. 

  96. 	  QED no overflow */
    97. 

  97. 	if (sHT_ge(offset + i, c->max_known)) {
    98. 

  98. 		/* Not used anymore; taint for analysis */
    99. 

  99. 		sHT_taint(&to->offset);
    100. 

  100. 		sHT_taint(&to->bytes[0]);
    101. 

  101. 		return c->cb_ignore(to, i);
    102. 

  102. 	}
    103. 

  103. 

  104. 	/* More bytes must be read before the lexeme is complete.
    105. 

  105. 	  Proof of progress (i = n) (non-speculatively):
    106. 

  106. 

  107. 	  (1) offset + i < max_known (@var{sHT_ge})
    108. 

  108. 	  (2) i = todo (@var{sHT_index_iterate})
    109. 

  109. 	  (1) => (4) i < max_known - offset
    110. 

  110. 	  (2, 4) => (5) todo < max_known - offset
    111. 

  111. 	  (5) => todo = n (@var{sHT_min_size})
    112. 

  112. 	  (2, 5) => i = n
    113. 

  113. 

  114. 	  QED progress */
    115. 

  115. 	/* Remember the number of copied bytes */
    116. 

  116.  	/* Overflow/bounds:
    117. 

  117. 

  118. 	  (1) i <= todo (@var{sHT_index_iterate}),
    119. 

  119. 	  (2) todo <= max_known - offset (@var{sHT_min_size})
    120. 

  120. 	  (1, 2) => (3) i <= max_known - offset
    121. 

  121. 	  (3) => (4) offset + i <= max_known
    122. 

  122. 	  QED bounds; continue overflow
    123. 

  123. 

  124. 	  (5) max_known < UINT16_MAX (@var{uint16_t})
    125. 

  125. 	  (4, 5) => offset + i < UINT16_MAX
    126. 

  126. 

  127. 	  QED overflow */
    128. 

  128. 	to->offset += i;
    129. 

  129. 	/* Bounds:
    130. 

  130. 

  131. 	  (1) i <= todo (@var{sHT_index_iterate})
    132. 

  132. 	  (2) todo <= n (@var{sHT_min_size})
    133. 

  133. 	  (1, 2) => i <= n
    134. 

  134. 

  135. 	  QED bounds */
    136. 

  136. 	return i;
    137. 

  137. }
    138. 

  138.