Changeset 36428 in vbox for trunk

Timestamp:

Mar 25, 2011 12:46:45 PM (14 years ago)

Author:

vboxsync

Message:

com/string.h: AssertLogRel when encountering an invalid encoding in the copyFrom*() methods doing UTF-16/8 conversions. The ASSUMPTION is that all input strings are correctly encoded and that this is enforced by VirtualBox border code before things gets down to Utf8Str or Bstr.

Location:

trunk

Files:

• include/VBox/com/string.h (modified) (8 diffs)
• src/VBox/Main/glue/string.cpp (modified) (3 diffs)

trunk/include/VBox/com/string.h

@@ -58 +58 @@
 /**
  *  String class used universally in Main for COM-style Utf-16 strings.
- *  Unfortunately COM on Windows uses UTF-16 everywhere, requiring conversions
- *  back and forth since most of VirtualBox and our libraries use UTF-8.
- *
- *  To make things more obscure, on Windows, a COM-style BSTR is not just a
- *  pointer to a null-terminated wide character array, but the four bytes
- *  (32 bits) BEFORE the memory that the pointer points to are a length
- *  DWORD. One must therefore avoid pointer arithmetic and always use
- *  SysAllocString and the like to deal with BSTR pointers, which manage
- *  that DWORD correctly.
- *
- *  For platforms other than Windows, we provide our own versions of the
- *  Sys* functions in Main/xpcom/helpers.cpp which do NOT use length
- *  prefixes though to be compatible with how XPCOM allocates string
- *  parameters to public functions.
- *
- *  The Bstr class hides all this handling behind a std::string-like interface
- *  and also provides automatic conversions to MiniString and Utf8Str instances.
- *
- *  The one advantage of using the SysString* routines is that this makes it
- *  possible to use it as a type of member variables of COM/XPCOM components
- *  and pass their values to callers through component methods' output parameters
- *  using the #cloneTo() operation. Also, the class can adopt (take ownership of)
- *  string buffers returned in output parameters of COM methods using the
- *  #asOutParam() operation and correctly free them afterwards.
- *
- *  Starting with VirtualBox 3.2, like Utf8Str, Bstr no longer differentiates
- *  between NULL strings and empty strings. In other words, Bstr("") and
- *  Bstr(NULL) behave the same. In both cases, Bstr allocates no memory,
- *  reports a zero length and zero allocated bytes for both, and returns an
- *  empty C wide string from raw().
+ *
+ * Unfortunately COM on Windows uses UTF-16 everywhere, requiring conversions
+ * back and forth since most of VirtualBox and our libraries use UTF-8.
+ *
+ * To make things more obscure, on Windows, a COM-style BSTR is not just a
+ * pointer to a null-terminated wide character array, but the four bytes (32
+ * bits) BEFORE the memory that the pointer points to are a length DWORD. One
+ * must therefore avoid pointer arithmetic and always use SysAllocString and
+ * the like to deal with BSTR pointers, which manage that DWORD correctly.
+ *
+ * For platforms other than Windows, we provide our own versions of the Sys*
+ * functions in Main/xpcom/helpers.cpp which do NOT use length prefixes though
+ * to be compatible with how XPCOM allocates string parameters to public
+ * functions.
+ *
+ * The Bstr class hides all this handling behind a std::string-like interface
+ * and also provides automatic conversions to MiniString and Utf8Str instances.
+ *
+ * The one advantage of using the SysString* routines is that this makes it
+ * possible to use it as a type of member variables of COM/XPCOM components and
+ * pass their values to callers through component methods' output parameters
+ * using the #cloneTo() operation.  Also, the class can adopt (take ownership
+ * of) string buffers returned in output parameters of COM methods using the
+ * #asOutParam() operation and correctly free them afterwards.
+ *
+ * Starting with VirtualBox 3.2, like Utf8Str, Bstr no longer differentiates
+ * between NULL strings and empty strings. In other words, Bstr("") and
+ * Bstr(NULL) behave the same. In both cases, Bstr allocates no memory,
+ * reports a zero length and zero allocated bytes for both, and returns an
+ * empty C wide string from raw().
+ *
+ * @note    All Bstr methods ASSUMES valid UTF-16 or UTF-8 input strings.
+ *          The VirtualBox policy in this regard is to validate strings coming
+ *          from external sources before passing them to Bstr or Utf8Str.
  */
 class Bstr
@@ -301 +305 @@
      *  If the member string is empty, this allocates an empty BSTR in *pstr
      *  (i.e. makes it point to a new buffer with a null byte).
-     */
-    void detachTo(BSTR *pstr)
+     *
+     * @param   pbstrDst        The BSTR variable to detach the string to.
+     *
+     * @throws  std::bad_alloc if we failed to allocate a new empty string.
+     */
+    void detachTo(BSTR *pbstrDst)
     {
         if (m_bstr)
-            *pstr = m_bstr;
+            *pbstrDst = m_bstr;
         else
         {
             // allocate null BSTR
-            *pstr = ::SysAllocString((const OLECHAR *)g_bstrEmpty);
+            *pbstrDst = ::SysAllocString((const OLECHAR *)g_bstrEmpty);
 #ifdef RT_EXCEPTIONS_ENABLED
-            if (!*pstr)
+            if (!*pbstrDst)
                 throw std::bad_alloc();
 #endif
@@ -322 +330 @@
      *  Takes the ownership of the returned data.
      */
-    BSTR* asOutParam()
+    BSTR *asOutParam()
     {
         cleanup();
@@ -352 +360 @@
      *
      * If the source is empty, this sets the member string to NULL.
-     * @param rs
-     */
-    void copyFrom(const OLECHAR *rs)
-    {
-        if (rs && *rs)
+     *
+     * @param   a_bstrSrc           The source string.  The caller guarantees
+     *                              that this is valid UTF-16.
+     *
+     * @throws  std::bad_alloc - the object is representing an empty string.
+     */
+    void copyFrom(const OLECHAR *a_bstrSrc)
+    {
+        if (a_bstrSrc && *a_bstrSrc)
         {
-            m_bstr = ::SysAllocString(rs);
+            m_bstr = ::SysAllocString(a_bstrSrc);
 #ifdef RT_EXCEPTIONS_ENABLED
             if (!m_bstr)
@@ -375 +387 @@
      *
      * If the source is empty, this sets the member string to NULL.
-     * @param rs
-     */
-    void copyFrom(const char *rs)
-    {
-        if (rs && *rs)
-        {
-            PRTUTF16 s = NULL;
-            ::RTStrToUtf16(rs, &s);
-#ifdef RT_EXCEPTIONS_ENABLED
-            if (!s)
-                throw std::bad_alloc();
-#endif
-            copyFrom((const OLECHAR *)s);            // allocates BSTR from zero-terminated input string
-            ::RTUtf16Free(s);
-        }
-        else
-            m_bstr = NULL;
+     *
+     * @param   a_pszSrc            The source string.  The caller guarantees
+     *                              that this is valid UTF-8.
+     *
+     * @throws  std::bad_alloc - the object is representing an empty string.
+     */
+    void copyFrom(const char *a_pszSrc)
+    {
+        copyFromN(a_pszSrc, RTSTR_MAX);
     }
 
@@ -397 +401 @@
      * Variant of copyFrom for sub-string constructors.
      *
-     * @param   a_pszSrc            The source string.
+     * @param   a_pszSrc            The source string.  The caller guarantees
+     *                              that this is valid UTF-8.
      * @param   a_cchMax            The maximum number of chars (not
      *                              codepoints) to copy.  If you pass RTSTR_MAX
      *                              it'll be exactly like copyFrom().
-     * @throws  std::bad_alloc
+     *
+     * @throws  std::bad_alloc - the object is representing an empty string.
      */
     void copyFromN(const char *a_pszSrc, size_t a_cchSrc);
@@ -417 +423 @@
 
 
-////////////////////////////////////////////////////////////////////////////////
+
 
 /**
- *  String class used universally in Main for UTF-8 strings.
- *
- *  This is based on iprt::MiniString, to which some functionality has been
- *  moved. Here we keep things that are specific to Main, such as conversions
- *  with UTF-16 strings (Bstr).
- *
- *  Like iprt::MiniString, Utf8Str does not differentiate between NULL strings
- *  and empty strings. In other words, Utf8Str("") and Utf8Str(NULL)
- *  behave the same. In both cases, MiniString allocates no memory, reports
- *  a zero length and zero allocated bytes for both, and returns an empty
- *  C string from c_str().
+ * String class used universally in Main for UTF-8 strings.
+ *
+ * This is based on iprt::MiniString, to which some functionality has been
+ * moved.  Here we keep things that are specific to Main, such as conversions
+ * with UTF-16 strings (Bstr).
+ *
+ * Like iprt::MiniString, Utf8Str does not differentiate between NULL strings
+ * and empty strings.  In other words, Utf8Str("") and Utf8Str(NULL) behave the
+ * same.  In both cases, MiniString allocates no memory, reports
+ * a zero length and zero allocated bytes for both, and returns an empty
+ * C string from c_str().
+ *
+ * @note    All Utf8Str methods ASSUMES valid UTF-8 or UTF-16 input strings.
+ *          The VirtualBox policy in this regard is to validate strings coming
+ *          from external sources before passing them to Utf8Str or Bstr.
  */
 class Utf8Str : public iprt::MiniString
@@ -558 +568 @@
 protected:
 
-    void copyFrom(CBSTR s);
+    void copyFrom(CBSTR a_pbstr);
 
     friend class Bstr; /* to access our raw_copy() */

trunk/src/VBox/Main/glue/string.cpp

@@ -53 +53 @@
     size_t cwc;
     int vrc = ::RTStrCalcUtf16LenEx(a_pszSrc, a_cchMax, &cwc);
-    AssertRCReturnVoid(vrc); /* throw instead? */
+    if (RT_FAILURE(vrc))
+    {
+        /* ASSUME: input is valid Utf-8. Fake out of memory error. */
+        AssertLogRelMsgFailed(("%Rrc %.*Rhxs\n", vrc, RTStrNLen(a_pszSrc, a_cchMax), a_pszSrc));
+        throw std::bad_alloc();
+    }
 
     m_bstr = ::SysAllocStringByteLen(NULL, cwc * sizeof(OLECHAR));
-    if (m_bstr)
+    if (RT_UNLIKELY(!m_bstr))
+        throw std::bad_alloc();
+
+    PRTUTF16 pwsz = (PRTUTF16)m_bstr;
+    vrc = ::RTStrToUtf16Ex(a_pszSrc, a_cchMax, &pwsz, cwc + 1, NULL);
+    if (RT_FAILURE(vrc))
     {
-        PRTUTF16 pwsz = (PRTUTF16)m_bstr;
-        vrc = ::RTStrToUtf16Ex(a_pszSrc, a_cchMax, &pwsz, cwc + 1, NULL);
-        if (RT_FAILURE(vrc))
-        {
-            /* This should not happen! */
-            AssertRC(vrc);
-            cleanup();
-        }
+        /* This should not happen! */
+        AssertRC(vrc);
+        cleanup();
+        throw std::bad_alloc();
     }
-    else
-        throw std::bad_alloc();
 }
 
@@ -80 +84 @@
     size_t cb = length() + 1;
     *pstr = (char*)nsMemory::Alloc(cb);
-    if (!*pstr)
+    if (RT_UNLIKELY(!*pstr))
         throw std::bad_alloc();
     memcpy(*pstr, c_str(), cb);
@@ -137 +141 @@
  * copying from a UTF-16 string.
  *
- * As with the iprt::ministring::copyFrom() variants, this unconditionally
- * sets the members to a copy of the given other strings and makes
- * no assumptions about previous contents. This can therefore be used
- * both in copy constructors, when member variables have no defined
- * value, and in assignments after having called cleanup().
+ * As with the iprt::ministring::copyFrom() variants, this unconditionally sets
+ * the members to a copy of the given other strings and makes no assumptions
+ * about previous contents.  This can therefore be used both in copy
+ * constructors, when member variables have no defined value, and in
+ * assignments after having called cleanup().
  *
  * This variant converts from a UTF-16 string, most probably from
  * a Bstr assignment.
  *
- * @param s
+ * @param   a_pbstr         The source string.  The caller guarantees that this
+ *                          is valid UTF-16.
+ *
+ * @sa      iprt::MiniString::copyFromN
  */
-void Utf8Str::copyFrom(CBSTR s)
+void Utf8Str::copyFrom(CBSTR a_pbstr)
 {
-    if (s && *s)
+    if (a_pbstr && *a_pbstr)
     {
-        int vrc = RTUtf16ToUtf8Ex((PRTUTF16)s,      // PCRTUTF16 pwszString
+        int vrc = RTUtf16ToUtf8Ex((PCRTUTF16)a_pbstr,
                                   RTSTR_MAX,        // size_t cwcString: translate entire string
                                   &m_psz,           // char **ppsz: output buffer
                                   0,                // size_t cch: if 0, func allocates buffer in *ppsz
                                   &m_cch);          // size_t *pcch: receives the size of the output string, excluding the terminator.
-        if (RT_FAILURE(vrc))
+        if (RT_SUCCESS(vrc))
+            m_cbAllocated = m_cch + 1;
+        else
         {
-            if (    vrc == VERR_NO_STR_MEMORY
-                 || vrc == VERR_NO_MEMORY
-               )
-                throw std::bad_alloc();
+            if (   vrc != VERR_NO_STR_MEMORY
+                && vrc != VERR_NO_MEMORY)
+            {
+                /* ASSUME: input is valid Utf-16. Fake out of memory error. */
+                AssertLogRelMsgFailed(("%Rrc %.*Rhxs\n", vrc, RTUtf16Len(a_pbstr) * sizeof(RTUTF16), a_pbstr));
+            }
 
-            // @todo what do we do with bad input strings? throw also? for now just keep an empty string
             m_cch = 0;
             m_cbAllocated = 0;
             m_psz = NULL;
+
+            throw std::bad_alloc();
         }
-        else
-            m_cbAllocated = m_cch + 1;
     }
     else