1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/pickle.h"
6
7 #include <algorithm>
8 #include <bit>
9 #include <cstdlib>
10 #include <limits>
11 #include <ostream>
12 #include <type_traits>
13
14 #include "base/bits.h"
15 #include "base/containers/span.h"
16 #include "base/numerics/safe_conversions.h"
17 #include "base/numerics/safe_math.h"
18 #include "build/build_config.h"
19
20 namespace base {
21
22 // static
23 const size_t Pickle::kPayloadUnit = 64;
24
25 static const size_t kCapacityReadOnly = static_cast<size_t>(-1);
26
PickleIterator(const Pickle & pickle)27 PickleIterator::PickleIterator(const Pickle& pickle)
28 : payload_(pickle.payload()),
29 read_index_(0),
30 end_index_(pickle.payload_size()) {}
31
32 template <typename Type>
ReadBuiltinType(Type * result)33 inline bool PickleIterator::ReadBuiltinType(Type* result) {
34 static_assert(
35 std::is_integral_v<Type> && !std::is_same_v<Type, bool>,
36 "This method is only safe with to use with types without padding bits.");
37 const char* read_from = GetReadPointerAndAdvance<Type>();
38 if (!read_from)
39 return false;
40 memcpy(result, read_from, sizeof(*result));
41 return true;
42 }
43
Advance(size_t size)44 inline void PickleIterator::Advance(size_t size) {
45 size_t aligned_size = bits::AlignUp(size, sizeof(uint32_t));
46 if (end_index_ - read_index_ < aligned_size) {
47 read_index_ = end_index_;
48 } else {
49 read_index_ += aligned_size;
50 }
51 }
52
53 template <typename Type>
GetReadPointerAndAdvance()54 inline const char* PickleIterator::GetReadPointerAndAdvance() {
55 if (sizeof(Type) > end_index_ - read_index_) {
56 read_index_ = end_index_;
57 return nullptr;
58 }
59 const char* current_read_ptr = payload_ + read_index_;
60 Advance(sizeof(Type));
61 return current_read_ptr;
62 }
63
GetReadPointerAndAdvance(size_t num_bytes)64 const char* PickleIterator::GetReadPointerAndAdvance(size_t num_bytes) {
65 if (num_bytes > end_index_ - read_index_) {
66 read_index_ = end_index_;
67 return nullptr;
68 }
69 const char* current_read_ptr = payload_ + read_index_;
70 Advance(num_bytes);
71 return current_read_ptr;
72 }
73
GetReadPointerAndAdvance(size_t num_elements,size_t size_element)74 inline const char* PickleIterator::GetReadPointerAndAdvance(
75 size_t num_elements,
76 size_t size_element) {
77 // Check for size_t overflow.
78 size_t num_bytes;
79 if (!CheckMul(num_elements, size_element).AssignIfValid(&num_bytes))
80 return nullptr;
81 return GetReadPointerAndAdvance(num_bytes);
82 }
83
ReadBool(bool * result)84 bool PickleIterator::ReadBool(bool* result) {
85 // Not all bit patterns are valid bools. Avoid undefined behavior by reading a
86 // type with no padding bits, then converting to bool.
87 uint8_t v;
88 if (!ReadBuiltinType(&v)) {
89 return false;
90 }
91 *result = v != 0;
92 return true;
93 }
94
ReadInt(int * result)95 bool PickleIterator::ReadInt(int* result) {
96 return ReadBuiltinType(result);
97 }
98
ReadLong(long * result)99 bool PickleIterator::ReadLong(long* result) {
100 // Always read long as a 64-bit value to ensure compatibility between 32-bit
101 // and 64-bit processes.
102 int64_t result_int64 = 0;
103 if (!ReadBuiltinType(&result_int64))
104 return false;
105 if (!IsValueInRangeForNumericType<long>(result_int64))
106 return false;
107 *result = static_cast<long>(result_int64);
108 return true;
109 }
110
ReadUInt16(uint16_t * result)111 bool PickleIterator::ReadUInt16(uint16_t* result) {
112 return ReadBuiltinType(result);
113 }
114
ReadUInt32(uint32_t * result)115 bool PickleIterator::ReadUInt32(uint32_t* result) {
116 return ReadBuiltinType(result);
117 }
118
ReadInt64(int64_t * result)119 bool PickleIterator::ReadInt64(int64_t* result) {
120 return ReadBuiltinType(result);
121 }
122
ReadUInt64(uint64_t * result)123 bool PickleIterator::ReadUInt64(uint64_t* result) {
124 return ReadBuiltinType(result);
125 }
126
ReadFloat(float * result)127 bool PickleIterator::ReadFloat(float* result) {
128 // crbug.com/315213
129 // The source data may not be properly aligned, and unaligned float reads
130 // cause SIGBUS on some ARM platforms, so force using memcpy to copy the data
131 // into the result.
132 const char* read_from = GetReadPointerAndAdvance<float>();
133 if (!read_from)
134 return false;
135 memcpy(result, read_from, sizeof(*result));
136 return true;
137 }
138
ReadDouble(double * result)139 bool PickleIterator::ReadDouble(double* result) {
140 // crbug.com/315213
141 // The source data may not be properly aligned, and unaligned double reads
142 // cause SIGBUS on some ARM platforms, so force using memcpy to copy the data
143 // into the result.
144 const char* read_from = GetReadPointerAndAdvance<double>();
145 if (!read_from)
146 return false;
147 memcpy(result, read_from, sizeof(*result));
148 return true;
149 }
150
ReadString(std::string * result)151 bool PickleIterator::ReadString(std::string* result) {
152 size_t len;
153 if (!ReadLength(&len))
154 return false;
155 const char* read_from = GetReadPointerAndAdvance(len);
156 if (!read_from)
157 return false;
158
159 result->assign(read_from, len);
160 return true;
161 }
162
ReadStringPiece(StringPiece * result)163 bool PickleIterator::ReadStringPiece(StringPiece* result) {
164 size_t len;
165 if (!ReadLength(&len))
166 return false;
167 const char* read_from = GetReadPointerAndAdvance(len);
168 if (!read_from)
169 return false;
170
171 *result = StringPiece(read_from, len);
172 return true;
173 }
174
ReadString16(std::u16string * result)175 bool PickleIterator::ReadString16(std::u16string* result) {
176 size_t len;
177 if (!ReadLength(&len))
178 return false;
179 const char* read_from = GetReadPointerAndAdvance(len, sizeof(char16_t));
180 if (!read_from)
181 return false;
182
183 result->assign(reinterpret_cast<const char16_t*>(read_from), len);
184 return true;
185 }
186
ReadStringPiece16(StringPiece16 * result)187 bool PickleIterator::ReadStringPiece16(StringPiece16* result) {
188 size_t len;
189 if (!ReadLength(&len))
190 return false;
191 const char* read_from = GetReadPointerAndAdvance(len, sizeof(char16_t));
192 if (!read_from)
193 return false;
194
195 *result = StringPiece16(reinterpret_cast<const char16_t*>(read_from), len);
196 return true;
197 }
198
ReadData(const char ** data,size_t * length)199 bool PickleIterator::ReadData(const char** data, size_t* length) {
200 *length = 0;
201 *data = nullptr;
202
203 if (!ReadLength(length))
204 return false;
205
206 return ReadBytes(data, *length);
207 }
208
ReadData()209 std::optional<base::span<const uint8_t>> PickleIterator::ReadData() {
210 const char* ptr;
211 size_t length;
212
213 if (!ReadData(&ptr, &length))
214 return std::nullopt;
215
216 return base::as_bytes(base::make_span(ptr, length));
217 }
218
ReadBytes(const char ** data,size_t length)219 bool PickleIterator::ReadBytes(const char** data, size_t length) {
220 const char* read_from = GetReadPointerAndAdvance(length);
221 if (!read_from)
222 return false;
223 *data = read_from;
224 return true;
225 }
226
227 Pickle::Attachment::Attachment() = default;
228
229 Pickle::Attachment::~Attachment() = default;
230
231 // Payload is uint32_t aligned.
232
Pickle()233 Pickle::Pickle()
234 : header_(nullptr),
235 header_size_(sizeof(Header)),
236 capacity_after_header_(0),
237 write_offset_(0) {
238 static_assert(std::has_single_bit(Pickle::kPayloadUnit),
239 "Pickle::kPayloadUnit must be a power of two");
240 Resize(kPayloadUnit);
241 header_->payload_size = 0;
242 }
243
Pickle(size_t header_size)244 Pickle::Pickle(size_t header_size)
245 : header_(nullptr),
246 header_size_(bits::AlignUp(header_size, sizeof(uint32_t))),
247 capacity_after_header_(0),
248 write_offset_(0) {
249 DCHECK_GE(header_size, sizeof(Header));
250 DCHECK_LE(header_size, kPayloadUnit);
251 Resize(kPayloadUnit);
252 header_->payload_size = 0;
253 }
254
WithData(span<const uint8_t> data)255 Pickle Pickle::WithData(span<const uint8_t> data) {
256 // Create a pickle with unowned data, then do a copy to internalize the data.
257 Pickle pickle(kUnownedData, data);
258 Pickle internalized_data_pickle = pickle;
259 CHECK_NE(internalized_data_pickle.capacity_after_header_, kCapacityReadOnly);
260 return internalized_data_pickle;
261 }
262
WithUnownedBuffer(span<const uint8_t> data)263 Pickle Pickle::WithUnownedBuffer(span<const uint8_t> data) {
264 // This uses return value optimization to return a Pickle without copying
265 // which will preserve the unowned-ness of the data.
266 return Pickle(kUnownedData, data);
267 }
268
Pickle(UnownedData,span<const uint8_t> data)269 Pickle::Pickle(UnownedData, span<const uint8_t> data)
270 : header_(reinterpret_cast<Header*>(const_cast<uint8_t*>(data.data()))),
271 header_size_(0),
272 capacity_after_header_(kCapacityReadOnly),
273 write_offset_(0) {
274 if (data.size() >= sizeof(Header)) {
275 header_size_ = data.size() - header_->payload_size;
276 }
277
278 if (header_size_ > data.size()) {
279 header_size_ = 0;
280 }
281
282 if (header_size_ != bits::AlignUp(header_size_, sizeof(uint32_t))) {
283 header_size_ = 0;
284 }
285
286 // If there is anything wrong with the data, we're not going to use it.
287 if (!header_size_) {
288 header_ = nullptr;
289 }
290 }
291
Pickle(const Pickle & other)292 Pickle::Pickle(const Pickle& other)
293 : header_(nullptr),
294 header_size_(other.header_size_),
295 capacity_after_header_(0),
296 write_offset_(other.write_offset_) {
297 if (other.header_) {
298 Resize(other.header_->payload_size);
299 memcpy(header_, other.header_, header_size_ + other.header_->payload_size);
300 }
301 }
302
~Pickle()303 Pickle::~Pickle() {
304 if (capacity_after_header_ != kCapacityReadOnly)
305 free(header_);
306 }
307
operator =(const Pickle & other)308 Pickle& Pickle::operator=(const Pickle& other) {
309 if (this == &other) {
310 return *this;
311 }
312 if (capacity_after_header_ == kCapacityReadOnly) {
313 header_ = nullptr;
314 capacity_after_header_ = 0;
315 }
316 if (header_size_ != other.header_size_) {
317 free(header_);
318 header_ = nullptr;
319 header_size_ = other.header_size_;
320 }
321 if (other.header_) {
322 Resize(other.header_->payload_size);
323 memcpy(header_, other.header_,
324 other.header_size_ + other.header_->payload_size);
325 write_offset_ = other.write_offset_;
326 }
327 return *this;
328 }
329
WriteString(const StringPiece & value)330 void Pickle::WriteString(const StringPiece& value) {
331 WriteData(value.data(), value.size());
332 }
333
WriteString16(const StringPiece16 & value)334 void Pickle::WriteString16(const StringPiece16& value) {
335 WriteInt(checked_cast<int>(value.size()));
336 WriteBytes(value.data(), value.size() * sizeof(char16_t));
337 }
338
WriteData(const char * data,size_t length)339 void Pickle::WriteData(const char* data, size_t length) {
340 WriteData(as_bytes(span(data, length)));
341 }
342
WriteData(std::string_view data)343 void Pickle::WriteData(std::string_view data) {
344 WriteData(as_byte_span(data));
345 }
346
WriteData(base::span<const uint8_t> data)347 void Pickle::WriteData(base::span<const uint8_t> data) {
348 WriteInt(checked_cast<int>(data.size()));
349 WriteBytes(data);
350 }
351
WriteBytes(const void * data,size_t length)352 void Pickle::WriteBytes(const void* data, size_t length) {
353 WriteBytesCommon(make_span(static_cast<const uint8_t*>(data), length));
354 }
355
WriteBytes(span<const uint8_t> data)356 void Pickle::WriteBytes(span<const uint8_t> data) {
357 WriteBytesCommon(data);
358 }
359
Reserve(size_t length)360 void Pickle::Reserve(size_t length) {
361 size_t data_len = bits::AlignUp(length, sizeof(uint32_t));
362 DCHECK_GE(data_len, length);
363 #ifdef ARCH_CPU_64_BITS
364 DCHECK_LE(data_len, std::numeric_limits<uint32_t>::max());
365 #endif
366 DCHECK_LE(write_offset_, std::numeric_limits<uint32_t>::max() - data_len);
367 size_t new_size = write_offset_ + data_len;
368 if (new_size > capacity_after_header_)
369 Resize(capacity_after_header_ * 2 + new_size);
370 }
371
WriteAttachment(scoped_refptr<Attachment> attachment)372 bool Pickle::WriteAttachment(scoped_refptr<Attachment> attachment) {
373 return false;
374 }
375
ReadAttachment(base::PickleIterator * iter,scoped_refptr<Attachment> * attachment) const376 bool Pickle::ReadAttachment(base::PickleIterator* iter,
377 scoped_refptr<Attachment>* attachment) const {
378 return false;
379 }
380
HasAttachments() const381 bool Pickle::HasAttachments() const {
382 return false;
383 }
384
Resize(size_t new_capacity)385 void Pickle::Resize(size_t new_capacity) {
386 CHECK_NE(capacity_after_header_, kCapacityReadOnly);
387 capacity_after_header_ = bits::AlignUp(new_capacity, kPayloadUnit);
388 void* p = realloc(header_, GetTotalAllocatedSize());
389 CHECK(p);
390 header_ = reinterpret_cast<Header*>(p);
391 }
392
ClaimBytes(size_t num_bytes)393 void* Pickle::ClaimBytes(size_t num_bytes) {
394 void* p = ClaimUninitializedBytesInternal(num_bytes);
395 CHECK(p);
396 memset(p, 0, num_bytes);
397 return p;
398 }
399
GetTotalAllocatedSize() const400 size_t Pickle::GetTotalAllocatedSize() const {
401 if (capacity_after_header_ == kCapacityReadOnly)
402 return 0;
403 return header_size_ + capacity_after_header_;
404 }
405
406 // static
FindNext(size_t header_size,const char * start,const char * end)407 const char* Pickle::FindNext(size_t header_size,
408 const char* start,
409 const char* end) {
410 size_t pickle_size = 0;
411 if (!PeekNext(header_size, start, end, &pickle_size))
412 return nullptr;
413
414 if (pickle_size > static_cast<size_t>(end - start))
415 return nullptr;
416
417 return start + pickle_size;
418 }
419
420 // static
PeekNext(size_t header_size,const char * start,const char * end,size_t * pickle_size)421 bool Pickle::PeekNext(size_t header_size,
422 const char* start,
423 const char* end,
424 size_t* pickle_size) {
425 DCHECK_EQ(header_size, bits::AlignUp(header_size, sizeof(uint32_t)));
426 DCHECK_GE(header_size, sizeof(Header));
427 DCHECK_LE(header_size, static_cast<size_t>(kPayloadUnit));
428
429 size_t length = static_cast<size_t>(end - start);
430 if (length < sizeof(Header))
431 return false;
432
433 const Header* hdr = reinterpret_cast<const Header*>(start);
434 if (length < header_size)
435 return false;
436
437 // If payload_size causes an overflow, we return maximum possible
438 // pickle size to indicate that.
439 *pickle_size = ClampAdd(header_size, hdr->payload_size);
440 return true;
441 }
442
443 template <size_t length>
WriteBytesStatic(const void * data)444 void Pickle::WriteBytesStatic(const void* data) {
445 WriteBytesCommon(make_span(static_cast<const uint8_t*>(data), length));
446 }
447
448 template void Pickle::WriteBytesStatic<2>(const void* data);
449 template void Pickle::WriteBytesStatic<4>(const void* data);
450 template void Pickle::WriteBytesStatic<8>(const void* data);
451
ClaimUninitializedBytesInternal(size_t length)452 inline void* Pickle::ClaimUninitializedBytesInternal(size_t length) {
453 DCHECK_NE(kCapacityReadOnly, capacity_after_header_)
454 << "oops: pickle is readonly";
455 size_t data_len = bits::AlignUp(length, sizeof(uint32_t));
456 DCHECK_GE(data_len, length);
457 #ifdef ARCH_CPU_64_BITS
458 DCHECK_LE(data_len, std::numeric_limits<uint32_t>::max());
459 #endif
460 DCHECK_LE(write_offset_, std::numeric_limits<uint32_t>::max() - data_len);
461 size_t new_size = write_offset_ + data_len;
462 if (new_size > capacity_after_header_) {
463 size_t new_capacity = capacity_after_header_ * 2;
464 const size_t kPickleHeapAlign = 4096;
465 if (new_capacity > kPickleHeapAlign) {
466 new_capacity =
467 bits::AlignUp(new_capacity, kPickleHeapAlign) - kPayloadUnit;
468 }
469 Resize(std::max(new_capacity, new_size));
470 }
471
472 char* write = mutable_payload() + write_offset_;
473 std::fill(write + length, write + data_len, 0); // Always initialize padding
474 header_->payload_size = static_cast<uint32_t>(new_size);
475 write_offset_ = new_size;
476 return write;
477 }
478
WriteBytesCommon(span<const uint8_t> data)479 inline void Pickle::WriteBytesCommon(span<const uint8_t> data) {
480 DCHECK_NE(kCapacityReadOnly, capacity_after_header_)
481 << "oops: pickle is readonly";
482 MSAN_CHECK_MEM_IS_INITIALIZED(data.data(), data.size());
483 void* write = ClaimUninitializedBytesInternal(data.size());
484 std::copy(data.data(), data.data() + data.size(), static_cast<char*>(write));
485 }
486
487 } // namespace base
488