[EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Bret Barkelew via groups.io
bret.barkelew=microsoft.com at groups.io
Fri May 15 15:26:45 UTC 2020
Agreed. This was more for discussion than a request to change. Sorry for the churn.
- Bret
________________________________
From: Vitaly Cheptsov <cheptsov at ispras.ru>
Sent: Friday, May 15, 2020 2:30:46 AM
To: Kinney, Michael D <michael.d.kinney at intel.com>; Bret Barkelew <Bret.Barkelew at microsoft.com>; Marvin Häuser <mhaeuser at outlook.de>
Cc: devel at edk2.groups.io <devel at edk2.groups.io>; Andrew Fish <afish at apple.com>; Ard Biesheuvel <ard.biesheuvel at linaro.org>; Brian J . Johnson <brian.johnson at hpe.com>; Chiu, Chasel <chasel.chiu at intel.com>; Justen, Jordan L <jordan.l.justen at intel.com>; Laszlo Ersek <lersek at redhat.com>; Leif Lindholm <leif at nuviainc.com>; liming.gao <liming.gao at intel.com>; Zimmer, Vincent <vincent.zimmer at intel.com>; Gao, Zhichao <zhichao.gao at intel.com>
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike, Bret,
The assertion in UnicodeStrnToAsciiStrS is currently not a runtime check but a precondition. I.e. the function does not work with such sequences.
I fully agree that it is not right, and that we should actually update the documentation and change it to the following construction (0x80 instead of 0x100 for 7-bit ASCII and ‘?’ for invalid patch):
if (*Source < 0x80) {
*(Destination++) = (CHAR8) *(Source++);
} else {
*(Destination++) = ‘?';
}
However, it has to be out of the scope of this patch due to the nature of the change: function behaviour change for RELEASE instead of assertion removal for the runtime check as for all the rest. Should file a bugzilla as well.
As for alignment, I believe Marvin explained it well, and I have nothing to add there. There is no need to change the patch anyhow.
Best wishes,
Vitaly
15 мая 2020 г., в 01:14, Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>> написал(а):
Bret,
I agree with all your points. Which is why I am asking if we should address this in the current patch under review.
I will also point out that another way to get an off pointer address value for a CHAR16 is through use of packed structures. If a CHAR16 string is in a packaged structure and starts at an odd byte offset, then directly passing the CHAR16 string field to one of these APIs will ASSERT() or generate an exception if the ASSERT()s are removed. When using packed structures, fields that are larger than 1-byte need to either be copied to an aligned location or accessed using the Unaligned Read/Write APIs.
Mike
From: devel at edk2.groups.io<mailto:devel at edk2.groups.io> <devel at edk2.groups.io<mailto:devel at edk2.groups.io>> On Behalf Of Bret Barkelew via groups.io<http://groups.io/>
Sent: Thursday, May 14, 2020 2:15 PM
To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>; cheptsov at ispras.ru<mailto:cheptsov at ispras.ru>
Cc: Andrew Fish <afish at apple.com<mailto:afish at apple.com>>; Ard Biesheuvel <ard.biesheuvel at linaro.org<mailto:ard.biesheuvel at linaro.org>>; Brian J . Johnson <brian.johnson at hpe.com<mailto:brian.johnson at hpe.com>>; Chiu, Chasel <chasel.chiu at intel.com<mailto:chasel.chiu at intel.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Laszlo Ersek <lersek at redhat.com<mailto:lersek at redhat.com>>; Leif Lindholm <leif at nuviainc.com<mailto:leif at nuviainc.com>>; Gao, Liming <liming.gao at intel.com<mailto:liming.gao at intel.com>>; Marvin Häuser <mhaeuser at outlook.de<mailto:mhaeuser at outlook.de>>; Zimmer, Vincent <vincent.zimmer at intel.com<mailto:vincent.zimmer at intel.com>>; Gao, Zhichao <zhichao.gao at intel.com<mailto:zhichao.gao at intel.com>>
Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Why isn’t that a failed return value?
That would be unexpected behavior in RELEASE.
Either that, or the function should take in a substitution character (e.g. ‘?’) for invalid characters.
The prototype of this function is bad if it doesn’t allow for this possibility, and an ASSERT isn’t making code any better/safer by only ASSERTing.
- Bret
From: Michael D Kinney via groups.io<mailto:michael.d.kinney=intel.com at groups.io>
Sent: Thursday, May 14, 2020 2:07 PM
To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>; cheptsov at ispras.ru<mailto:cheptsov at ispras.ru>; Kinney, Michael D<mailto:michael.d.kinney at intel.com>
Cc: Andrew Fish<mailto:afish at apple.com>; Ard Biesheuvel<mailto:ard.biesheuvel at linaro.org>; Bret Barkelew<mailto:Bret.Barkelew at microsoft.com>; Brian J . Johnson<mailto:brian.johnson at hpe.com>; Chiu, Chasel<mailto:chasel.chiu at intel.com>; Justen, Jordan L<mailto:jordan.l.justen at intel.com>; Laszlo Ersek<mailto:lersek at redhat.com>; Leif Lindholm<mailto:leif at nuviainc.com>; liming.gao<mailto:liming.gao at intel.com>; Marvin Häuser<mailto:mhaeuser at outlook.de>; Zimmer, Vincent<mailto:vincent.zimmer at intel.com>; Gao, Zhichao<mailto:zhichao.gao at intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Hi Vitaly,
What about this ASSERT() in UnicodeStrnToAsciiStrS(). It is an ASSERT() on the data contents.
//
// Convert string
//
while ((*Source != 0) && (SourceLen > 0)) {
//
// If any Unicode characters in Source contain non-zero value in the upper
// 8 bits, then ASSERT().
//
ASSERT (*Source < 0x100);
*(Destination++) = (CHAR8) *(Source++);
SourceLen--;
(*DestinationLength)++;
}
*Destination = 0;
Mike
From: devel at edk2.groups.io<mailto:devel at edk2.groups.io> <devel at edk2.groups.io<mailto:devel at edk2.groups.io>> On Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 11:59 AM
To: Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
Cc: devel at edk2.groups.io<mailto:devel at edk2.groups.io>; Andrew Fish <afish at apple.com<mailto:afish at apple.com>>; Ard Biesheuvel <ard.biesheuvel at linaro.org<mailto:ard.biesheuvel at linaro.org>>; Bret Barkelew <bret.barkelew at microsoft.com<mailto:bret.barkelew at microsoft.com>>; Brian J . Johnson <brian.johnson at hpe.com<mailto:brian.johnson at hpe.com>>; Chiu, Chasel <chasel.chiu at intel.com<mailto:chasel.chiu at intel.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Laszlo Ersek <lersek at redhat.com<mailto:lersek at redhat.com>>; Leif Lindholm <leif at nuviainc.com<mailto:leif at nuviainc.com>>; Gao, Liming <liming.gao at intel.com<mailto:liming.gao at intel.com>>; Marvin Häuser <mhaeuser at outlook.de<mailto:mhaeuser at outlook.de>>; Zimmer, Vincent <vincent.zimmer at intel.com<mailto:vincent.zimmer at intel.com>>; Gao, Zhichao <zhichao.gao at intel.com<mailto:zhichao.gao at intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix SafeString performing assertions on runtime checks
Mike,
The code you posted may inflict undefined behaviour is not valid C for several reasons. The compiler is free to do whatever it desires. Please refer to ISO/IEC 9899 for more details.
If applications cast raw pointers to typed pointers without checking their alignment, well, god bless them :)
My opinion is both the compiler and the hardware are welcome to do the worst once your third line is discovered. On a number of CPUs such addresses cannot be even represented in the first place.
Yet, once again it is out of the scope of the current problem.
Best wishes,
Vitaly
14 мая 2020 г., в 20:58, Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>> написал(а):
Vitaly,
Why do you think there is no way to craft an odd address
without memory corruption.
UINT8 ByteArray[100];
CHAR16 *String
String = (CHAR16 *)(&Array[3]);
The reason I raised the question of these other ASSERT()s
is that I thought the use case was using these safe string
APIs from a UEFI App, and the UEFI App always wants to evaluate
the return status to know if the operation was completed or
not. In build that removes all ASSERT()s, an odd address
will generate an exception on some CPU archs. Wouldn’t it
be better for the UEFI App that is already designed to handle
error return status to get an error code instead of an
exception?
Mike
-----Original Message-----
From: devel at edk2.groups.io<mailto:devel at edk2.groups.io> <devel at edk2.groups.io<mailto:devel at edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 10:39 AM
To: Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
Cc: devel at edk2.groups.io<mailto:devel at edk2.groups.io>; Andrew Fish
<afish at apple.com<mailto:afish at apple.com>>; Ard Biesheuvel
<ard.biesheuvel at linaro.org<mailto:ard.biesheuvel at linaro.org>>; Bret Barkelew
<bret.barkelew at microsoft.com<mailto:bret.barkelew at microsoft.com>>; Brian J . Johnson
<brian.johnson at hpe.com<mailto:brian.johnson at hpe.com>>; Chiu, Chasel
<chasel.chiu at intel.com<mailto:chasel.chiu at intel.com>>; Justen, Jordan L
<jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Laszlo Ersek
<lersek at redhat.com<mailto:lersek at redhat.com>>; Leif Lindholm <leif at nuviainc.com<mailto:leif at nuviainc.com>>;
Gao, Liming <liming.gao at intel.com<mailto:liming.gao at intel.com>>; Marvin Häuser
<mhaeuser at outlook.de<mailto:mhaeuser at outlook.de>>; Zimmer, Vincent
<vincent.zimmer at intel.com<mailto:vincent.zimmer at intel.com>>; Gao, Zhichao
<zhichao.gao at intel.com<mailto:zhichao.gao at intel.com>>
Subject: Re: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
Mike,
Firstly, NULL check and odd-address checks are
essentially different things:
— NULL address is basically «no object», «optional
argument» (e.g. failed allocation).
— Odd address is memory corruption, as there is no way
to craft such address anyhow else.
For this reason the implementation is allowed to treat
them differently.
Secondly, as I said in my cover letter there is no
behaviour change here for RELEASE builds. Behaviour
changes unrelated to the bugfix will have to go to a
separate patch. I agree that we may want to reconsider
the interface in the future, but that’s for a separate
bugzilla and patch. Not discussing it currently is
important to avoid diverting from the primary problem.
Could create a bugzilla not to forget about it soon
after the stable tag.
Best wishes,
Vitaly
14 мая 2020 г., в 19:38, Kinney, Michael D
<michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>> написал(а):
Why preserve the ASSERT()s for an a Unicode strings
that are not aligned in a 16-bit boundary?
This is essentially the same as an invalid pointer
value
just like NULL. If NULL pointer returns an error
code,
shouldn't and invalid pointer value?
Thanks,
Mike
-----Original Message-----
From: devel at edk2.groups.io<mailto:devel at edk2.groups.io> <devel at edk2.groups.io<mailto:devel at edk2.groups.io>> On
Behalf Of Vitaly Cheptsov
Sent: Thursday, May 14, 2020 2:26 AM
To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: Andrew Fish <afish at apple.com<mailto:afish at apple.com>>; Ard Biesheuvel
<ard.biesheuvel at linaro.org<mailto:ard.biesheuvel at linaro.org>>; Bret Barkelew
<bret.barkelew at microsoft.com<mailto:bret.barkelew at microsoft.com>>; Brian J . Johnson
<brian.johnson at hpe.com<mailto:brian.johnson at hpe.com>>; Chiu, Chasel
<chasel.chiu at intel.com<mailto:chasel.chiu at intel.com>>; Justen, Jordan L
<jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Laszlo Ersek
<lersek at redhat.com<mailto:lersek at redhat.com>>; Leif Lindholm
<leif at nuviainc.com<mailto:leif at nuviainc.com>>;
Gao, Liming <liming.gao at intel.com<mailto:liming.gao at intel.com>>; Marvin Häuser
<mhaeuser at outlook.de<mailto:mhaeuser at outlook.de>>; Kinney, Michael D
<michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>; Zimmer, Vincent
<vincent.zimmer at intel.com<mailto:vincent.zimmer at intel.com>>; Gao, Zhichao
<zhichao.gao at intel.com<mailto:zhichao.gao at intel.com>>
Subject: [edk2-devel] [PATCH V6 1/1] MdePkg: Fix
SafeString performing assertions on runtime checks
REF:
https://bugzilla.tianocore.org/show_bug.cgi?id=2054<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2054&data=02%7C01%7CBret.Barkelew%40microsoft.com%7C854c0200e7ed412219a008d7f84ad4e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637250872617792374&sdata=obXC2njAL18GchcPz1HyiGBSNcBYk8i2Q0ZhWDwICCQ%3D&reserved=0>
Runtime checks returned via status return code
should
not work as
assertions to permit parsing not trusted data with
SafeString
interfaces.
CC: Andrew Fish <afish at apple.com<mailto:afish at apple.com>>
CC: Ard Biesheuvel <ard.biesheuvel at linaro.org<mailto:ard.biesheuvel at linaro.org>>
CC: Bret Barkelew <bret.barkelew at microsoft.com<mailto:bret.barkelew at microsoft.com>>
CC: Brian J. Johnson <brian.johnson at hpe.com<mailto:brian.johnson at hpe.com>>
CC: Chasel Chiu <chasel.chiu at intel.com<mailto:chasel.chiu at intel.com>>
CC: Jordan Justen <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>
CC: Laszlo Ersek <lersek at redhat.com<mailto:lersek at redhat.com>>
CC: Leif Lindholm <leif at nuviainc.com<mailto:leif at nuviainc.com>>
CC: Liming Gao <liming.gao at intel.com<mailto:liming.gao at intel.com>>
CC: Marvin Häuser <mhaeuser at outlook.de<mailto:mhaeuser at outlook.de>>
CC: Mike Kinney <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
CC: Vincent Zimmer <vincent.zimmer at intel.com<mailto:vincent.zimmer at intel.com>>
CC: Zhichao Gao <zhichao.gao at intel.com<mailto:zhichao.gao at intel.com>>
Signed-off-by: Vitaly Cheptsov
<vit9696 at protonmail.com<mailto:vit9696 at protonmail.com>>
---
MdePkg/Include/Library/BaseLib.h | 120 ++--------
--
--------
MdePkg/Library/BaseLib/SafeString.c | 80 ----------
--
-
2 files changed, 7 insertions(+), 193 deletions(-)
diff --git a/MdePkg/Include/Library/BaseLib.h
b/MdePkg/Include/Library/BaseLib.h
index ecadff8b23..62dc3151bc 100644
--- a/MdePkg/Include/Library/BaseLib.h
+++ b/MdePkg/Include/Library/BaseLib.h
@@ -189,7 +189,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -225,7 +224,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -263,7 +261,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -303,7 +300,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -350,12 +346,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -406,12 +397,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -467,12 +453,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -528,12 +509,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -622,8 +598,6 @@ AsciiStrnSizeS (
This function is similar as strcpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -656,8 +630,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -692,8 +664,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -730,8 +700,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -777,12 +745,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -832,12 +794,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -891,12 +847,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -950,12 +900,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -1506,16 +1450,8 @@ StrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -1567,15 +1503,10 @@ StrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If String is not aligned in a 16-bit boundary,
then
ASSERT().
If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
@@ -1640,8 +1571,6 @@ StrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
@param String Pointer to a
Null-
terminated Unicode string.
@@ -1676,17 +1605,6 @@ StrToGuid (
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumUnicodeStringLength is not zero and
Length is greater than
- PcdMaximumUnicodeStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated Unicode string.
@param Length The number of
Unicode characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -1777,7 +1695,6 @@ UnicodeStrToAsciiStr (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -1818,22 +1735,23 @@ UnicodeStrToAsciiStrS (
bits of each Unicode character. The function
terminates the Ascii string
Destination by appending a Null-terminator
character
at the end.
- The caller is responsible to make sure
Destination
points to a buffer with size
- equal or greater than ((StrLen (Source) + 1) *
sizeof (CHAR8)) in bytes.
+ The caller is responsible to make sure
Destination
points to a buffer with
+ size not smaller than ((MIN(StrLen(Source),
Length)
+ 1) * sizeof (CHAR8))
+ in bytes.
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
- If an error is returned, then the Destination is
unmodified.
+ If an error is returned, then Destination and
DestinationLength are
+ unmodified.
@param Source The pointer to a Null-
terminated Unicode string.
@param Length The maximum number of
Unicode characters to
convert.
@param Destination The pointer to a Null-
terminated Ascii string.
- @param DestMax The maximum number of
Destination Ascii
- char, including
terminating null char.
+ @param DestMax The maximum number of
Destination Ascii char,
+ including terminating
null char.
@param DestinationLength The number of Unicode
characters converted.
@retval RETURN_SUCCESS String is
converted.
@@ -2388,10 +2306,6 @@ AsciiStrHexToUint64 (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2443,10 +2357,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -2508,9 +2418,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -2541,17 +2448,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
@@ -2632,7 +2528,6 @@ AsciiStrToUnicodeStr (
equal or greater than ((AsciiStrLen (Source) + 1)
*
sizeof (CHAR16)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2678,7 +2573,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
diff --git a/MdePkg/Library/BaseLib/SafeString.c
b/MdePkg/Library/BaseLib/SafeString.c
index 7dc03d2caa..1db42abb05 100644
--- a/MdePkg/Library/BaseLib/SafeString.c
+++ b/MdePkg/Library/BaseLib/SafeString.c
@@ -14,7 +14,6 @@
#define SAFE_STRING_CONSTRAINT_CHECK(Expression,
Status) \
do { \
- ASSERT (Expression); \
if (!(Expression)) { \
return Status; \
} \
@@ -197,7 +196,6 @@ StrnSizeS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -279,7 +277,6 @@ StrCpyS (
If Length > 0 and Destination is not aligned on a
16-bit boundary, then ASSERT().
If Length > 0 and Source is not aligned on a 16-
bit
boundary, then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -372,7 +369,6 @@ StrnCpyS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -473,7 +469,6 @@ StrCatS (
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -590,12 +585,7 @@ StrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -705,12 +695,7 @@ StrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
@@ -825,12 +810,7 @@ StrDecimalToUint64S (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -956,12 +936,7 @@ StrHexToUintnS (
the first character that is a not a valid
hexadecimal character or NULL,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
If String is not aligned in a 16-bit boundary,
then
ASSERT().
- If PcdMaximumUnicodeStringLength is not zero, and
String contains more than
- PcdMaximumUnicodeStringLength Unicode characters,
not including the
- Null-terminator, then ASSERT().
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
@@ -1856,8 +1831,6 @@ AsciiStrCpyS (
This function is similar as strncpy_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -1944,8 +1917,6 @@ AsciiStrnCpyS (
This function is similar as strcat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2040,8 +2011,6 @@ AsciiStrCatS (
This function is similar as strncat_s defined in
C11.
- If an error would be returned, then the function
will also ASSERT().
-
If an error is returned, then the Destination is
unmodified.
@param Destination A pointer to a
Null-terminated Ascii string.
@@ -2154,12 +2123,6 @@ AsciiStrnCatS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2266,12 +2229,6 @@ AsciiStrDecimalToUintnS (
be ignored. Then, the function stops at the first
character that is a not a
valid decimal character or a Null-terminator,
whichever one comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid decimal digits in the above
format, then 0 is stored
at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2382,12 +2339,6 @@ AsciiStrDecimalToUint64S (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINTN, then
@@ -2509,12 +2460,6 @@ AsciiStrHexToUintnS (
character that is a not a valid hexadecimal
character or Null-terminator,
whichever on comes first.
- If String is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
- If PcdMaximumAsciiStringLength is not zero, and
String contains more than
- PcdMaximumAsciiStringLength Ascii characters, not
including the
- Null-terminator, then ASSERT().
-
If String has no valid hexadecimal digits in the
above format, then 0 is
stored at the location pointed to by Data.
If the number represented by String exceeds the
range defined by UINT64, then
@@ -2635,7 +2580,6 @@ AsciiStrHexToUint64S (
the upper 8 bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then the Destination is
unmodified.
@@ -2735,7 +2679,6 @@ UnicodeStrToAsciiStrS (
If any Unicode characters in Source contain non-
zero
value in the upper 8
bits, then ASSERT().
If Source is not aligned on a 16-bit boundary,
then
ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -2948,7 +2891,6 @@ AsciiStrToUnicodeStrS (
((MIN(AsciiStrLen(Source), Length) + 1) * sizeof
(CHAR8)) in bytes.
If Destination is not aligned on a 16-bit
boundary,
then ASSERT().
- If an error would be returned, then the function
will also ASSERT().
If an error is returned, then Destination and
DestinationLength are
unmodified.
@@ -3072,10 +3014,6 @@ AsciiStrnToUnicodeStrS (
"::" can be used to compress one or more groups of
X
when X contains only 0.
The "::" can only appear once in the String.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3291,10 +3229,6 @@ AsciiStrToIpv6Address (
When /P is in the String, the function stops at
the
first character that is not
a valid decimal digit character after P is
converted.
- If String is NULL, then ASSERT().
-
- If Address is NULL, then ASSERT().
-
If EndPointer is not NULL and Address is
translated
from String, a pointer
to the character that stopped the scan is stored
at
the location pointed to
by EndPointer.
@@ -3448,9 +3382,6 @@ AsciiStrToIpv4Address (
oo Data4[48:55]
pp Data4[56:63]
- If String is NULL, then ASSERT().
- If Guid is NULL, then ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Guid Pointer to the
converted GUID.
@@ -3550,17 +3481,6 @@ AsciiStrToGuid (
decoding stops after Length of characters and
outputs Buffer containing
(Length / 2) bytes.
- If String is NULL, then ASSERT().
-
- If Buffer is NULL, then ASSERT().
-
- If Length is not multiple of 2, then ASSERT().
-
- If PcdMaximumAsciiStringLength is not zero and
Length is greater than
- PcdMaximumAsciiStringLength, then ASSERT().
-
- If MaxBufferSize is less than (Length / 2), then
ASSERT().
-
@param String Pointer to a
Null-
terminated ASCII string.
@param Length The number of
ASCII
characters to decode.
@param Buffer Pointer to the
converted bytes array.
--
2.24.2 (Apple Git-127)
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#59688): https://edk2.groups.io/g/devel/message/59688
Mute This Topic: https://groups.io/mt/74223854/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20200515/fbd79fd5/attachment.htm>
More information about the edk2-devel-archive
mailing list