TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / ac515e5a4410e1ae79d5e22fbec45af1fe3591b6^! / . / lib / ext / qcbor / inc / UsefulBuf.h
commitac515e5a4410e1ae79d5e22fbec45af1fe3591b6[log] [tgz]
authorLaurence Lundblade <lgl@securitytheory.com>Thu Jan 30 10:44:06 2020 -0800
committerTamas Ban <tamas.ban@arm.com>Wed Feb 05 13:29:37 2020 +0000
tree7e72a162488a58d9be2aad5aec296d776a518fe9
parentd5b6817608cfc1340ad1c169df423aff4dbe4cd3 [diff] [blame]
QCBOR: Quiet static analyzers; add bigfloat support; documentation improvements

Refined use of types, particular integer types and their signedness so there
are fewer warnings from static analyzers. Added casts to make implicit
type conversions explicit and more clear for code reader. No actual bugs
or vulnerabilities where found by the static analyzer but a lot of lines
were changed.

Cleaner handling of too-long bstr and tstr error condition when decoding.

Add support for bigfloats and decimal fractions -- all of RFC 7049 is now
supported except duplicate detection when decoding maps and some of
strict mode. Dead-stripping and/or linking through a .a file will
automatically leave out the added code on the encoder side.
bytes or so of code on the decode side

Documentation corrections and improved code formatting, fewer
long lines, spelling... A lot of lines where change for this.

Repair a few tests that weren't testing what they were supposed
to be testing.

Change-Id: I4c9c56c1ee16812eac7a5c2f2ba0d896f3f1b5ae
Signed-off-by: Laurence Lundblade <lgl@securitytheory.com>

diff --git a/lib/ext/qcbor/inc/UsefulBuf.h b/lib/ext/qcbor/inc/UsefulBuf.h
index 89ed643..a8da83b 100644
--- a/lib/ext/qcbor/inc/UsefulBuf.h
+++ b/lib/ext/qcbor/inc/UsefulBuf.h

@@ -1,6 +1,6 @@
 /*============================================================================
  Copyright (c) 2016-2018, The Linux Foundation.
- Copyright (c) 2018-2019, Laurence Lundblade.
+ Copyright (c) 2018-2020, Laurence Lundblade.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -41,6 +41,7 @@
 
  when         who             what, where, why
  --------     ----            --------------------------------------------------
+ 1/25/2020    llundblade      Add some casts so static anlyzers don't complain.
  5/21/2019    llundblade      #define configs for efficient endianness handling.
  5/16/2019    llundblade      Add UsefulOutBuf_IsBufferNULL().
  3/23/2019    llundblade      Big documentation & style update. No interface
@@ -1692,8 +1693,8 @@
 #else
    uint8_t aTmp[2];
 
-   aTmp[0] = (uInteger16 & 0xff00) >> 8;
-   aTmp[1] = (uInteger16 & 0xff);
+   aTmp[0] = (uint8_t)((uInteger16 & 0xff00) >> 8);
+   aTmp[1] = (uint8_t)(uInteger16 & 0xff);
 
    pBytes = aTmp;
 #endif
@@ -1725,10 +1726,10 @@
 #else
    uint8_t aTmp[4];
 
-   aTmp[0] = (uInteger32 & 0xff000000) >> 24;
-   aTmp[1] = (uInteger32 & 0xff0000) >> 16;
-   aTmp[2] = (uInteger32 & 0xff00) >> 8;
-   aTmp[3] = (uInteger32 & 0xff);
+   aTmp[0] = (uint8_t)((uInteger32 & 0xff000000) >> 24);
+   aTmp[1] = (uint8_t)((uInteger32 & 0xff0000) >> 16);
+   aTmp[2] = (uint8_t)((uInteger32 & 0xff00) >> 8);
+   aTmp[3] = (uint8_t)(uInteger32 & 0xff);
 
    pBytes = aTmp;
 #endif
@@ -1775,14 +1776,14 @@
    // it is usually a little larger and slower than hton().
    uint8_t aTmp[8];
 
-   aTmp[0] = (uInteger64 & 0xff00000000000000) >> 56;
-   aTmp[1] = (uInteger64 & 0xff000000000000) >> 48;
-   aTmp[2] = (uInteger64 & 0xff0000000000) >> 40;
-   aTmp[3] = (uInteger64 & 0xff00000000) >> 32;
-   aTmp[4] = (uInteger64 & 0xff000000) >> 24;
-   aTmp[5] = (uInteger64 & 0xff0000) >> 16;
-   aTmp[6] = (uInteger64 & 0xff00) >> 8;
-   aTmp[7] = (uInteger64 & 0xff);
+   aTmp[0] = (uint8_t)((uInteger64 & 0xff00000000000000) >> 56);
+   aTmp[1] = (uint8_t)((uInteger64 & 0xff000000000000) >> 48);
+   aTmp[2] = (uint8_t)((uInteger64 & 0xff0000000000) >> 40);
+   aTmp[3] = (uint8_t)((uInteger64 & 0xff00000000) >> 32);
+   aTmp[4] = (uint8_t)((uInteger64 & 0xff000000) >> 24);
+   aTmp[5] = (uint8_t)((uInteger64 & 0xff0000) >> 16);
+   aTmp[6] = (uint8_t)((uInteger64 & 0xff00) >> 8);
+   aTmp[7] = (uint8_t)(uInteger64 & 0xff);
 
    pBytes = aTmp;
 #endif
@@ -1967,7 +1968,10 @@
 {
    const void *pResult = UsefulInputBuf_GetBytes(pMe, sizeof(uint8_t));
 
-   return pResult ? *(uint8_t *)pResult : 0;
+   // The ternery operator is subject to integer promotion, because the
+   // operands are smaller than int, so cast back to uint8_t is needed
+   // to be completely explicit about types (for static analyzers)
+   return (uint8_t)(pResult ? *(uint8_t *)pResult : 0);
 }
 
 static inline uint16_t UsefulInputBuf_GetUint16(UsefulInputBuf *pMe)
@@ -1995,7 +1999,12 @@
 #endif
 
 #else
-   return  ((uint16_t)pResult[0] << 8) + (uint16_t)pResult[1];
+
+   // The operations here are subject to integer promotion because the
+   // operands are smaller than int. They will be promoted to unsigned
+   // int for the shift and addition. The cast back to uint16_t is  is needed
+   // to be completely explicit about types (for static analyzers)
+   return (uint16_t)((pResult[0] << 8) + pResult[1]);
 
 #endif
 }