/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */

#include "lib.h"
#include "printf-format-fix.h"

static const char *
fix_format_real(const char *fmt, const char *p, size_t *len_r)
{
	const char *errstr;
	char *buf;
	size_t len1, len2, len3;

	i_assert((size_t)(p - fmt) < INT_MAX);
	i_assert(p[0] == '%' && p[1] == 'm');

	errstr = strerror(errno);

	/* we'll assume that there's only one %m in the format string.
	   this simplifies the code and there's really no good reason to have
	   it multiple times. Callers can trap this case themselves. */
	len1 = p - fmt;
	len2 = strlen(errstr);
	len3 = strlen(p + 2);

	/* @UNSAFE */
	buf = t_buffer_get(len1 + len2 + len3 + 1);
	memcpy(buf, fmt, len1);
	memcpy(buf + len1, errstr, len2);
	memcpy(buf + len1 + len2, p + 2, len3 + 1);

	*len_r = len1 + len2 + len3;
	return buf;
}

static bool verify_length(const char **p)
{
	if (**p == '*') {
		/* We don't bother supporting "*m$" - it's not used
		   anywhere and seems a bit dangerous. */
		*p += 1;
	} else if (**p >= '0' && **p <= '9') {
		/* Limit to 4 digits - we'll never want more than that.
		   Some implementations might not handle long digits
		   correctly, or maybe even could be used for DoS due
		   to using too much CPU. If you want to express '99'
		   as '00099', then you lose in this function. */
		unsigned int i = 0;
		do {
			*p += 1;
			if (++i > 4)
				return FALSE;
		} while (**p >= '0' && **p <= '9');
	}
	return TRUE;
}

static const char *
printf_format_fix_noalloc(const char *format, size_t *len_r)
{
	/* NOTE: This function is overly strict in what it accepts. Some
	   format strings that are valid (and safe) in C99 will cause a panic
	   here. This is because we don't really need to support the weirdest
	   special cases, and we're also being extra careful not to pass
	   anything to the underlying libc printf, which might treat the string
	   differently than us and unexpectedly handling it as %n. For example
	   "%**%n" with glibc. */

	/* Allow only the standard C99 flags. There are also <'> and <I> flags,
	   but we don't really need them. And at worst if they're not supported
	   by the underlying printf, they could potentially be used to work
	   around our restrictions. */
	const char printf_flags[] = "#0- +";
	/* As a tiny optimization keep the most commonly used conversion
	   specifiers first, so strchr() stops early. */
	static const char *printf_specifiers = "sudcixXpoeEfFgGaA";
	const char *ret, *p, *p2;
	char *flag;

	p = ret = format;
	while ((p2 = strchr(p, '%')) != NULL) {
		const unsigned int start_pos = p2 - format;

		p = p2+1;
		if (*p == '%') {
			/* we'll be strict and allow %% only when there are no
			   optinal flags or modifiers. */
			p++;
			continue;
		}
		/* 1) zero or more flags. We'll add a further restriction that
		   each flag can be used only once, since there's no need to
		   use them more than once, and some implementations might
		   add their own limits. */
		bool printf_flags_seen[N_ELEMENTS(printf_flags)] = { FALSE, };
		while (*p != '\0' &&
		       (flag = strchr(printf_flags, *p)) != NULL) {
			unsigned int flag_idx = flag - printf_flags;

			if (printf_flags_seen[flag_idx]) {
				i_panic("Duplicate %% flag '%c' starting at #%u in '%s'",
					*p, start_pos, format);
			}
			printf_flags_seen[flag_idx] = TRUE;
			p++;
		}

		/* 2) Optional minimum field width */
		if (!verify_length(&p)) {
			i_panic("Too large minimum field width starting at #%u in '%s'",
				start_pos, format);
		}

		/* 3) Optional precision */
		if (*p == '.') {
			p++;
			if (!verify_length(&p)) {
				i_panic("Too large precision starting at #%u in '%s'",
					start_pos, format);
			}
		}

		/* 4) Optional length modifier */
		switch (*p) {
		case 'h':
			if (*++p == 'h')
				p++;
			break;
		case 'l':
			if (*++p == 'l')
				p++;
			break;
		case 'L':
		case 'j':
		case 'z':
		case 't':
			p++;
			break;
		}

		/* 5) conversion specifier */
		if (*p == '\0' || strchr(printf_specifiers, *p) == NULL) {
			switch (*p) {
			case 'n':
				i_panic("%%n modifier used");
			case 'm':
				if (ret != format)
					i_panic("%%m used twice");
				ret = fix_format_real(format, p-1, len_r);
				break;
			case '\0':
				i_panic("Missing %% specifier starting at #%u in '%s'",
					start_pos, format);
			default:
				i_panic("Unsupported 0x%02x specifier starting at #%u in '%s'",
					*p, start_pos, format);
			}
		}
		p++;
	}

	if (ret == format)
		*len_r = p - format + strlen(p);
	return ret;
}

const char *printf_format_fix_get_len(const char *format, size_t *len_r)
{
	const char *ret;

	ret = printf_format_fix_noalloc(format, len_r);
	if (ret != format)
		t_buffer_alloc(*len_r + 1);
	return ret;
}

const char *printf_format_fix(const char *format)
{
	const char *ret;
	size_t len;

	ret = printf_format_fix_noalloc(format, &len);
	if (ret != format)
		t_buffer_alloc(len + 1);
	return ret;
}

const char *printf_format_fix_unsafe(const char *format)
{
	size_t len;

	return printf_format_fix_noalloc(format, &len);
}