Merge pull request #160 from metsw24-max/validate-allocation-arithmetic-in-importer-parsing-paths

Taywee · web-flow · commit ae29bb64791c · 2026-05-12T10:14:18.000-06:00
integer overflow hardening in input-derived arithmetic
diff --git a/args.hxx b/args.hxx
@@ -101,6 +101,76 @@ namespace args
         return length;
     }
 
+    /** Safe addition to prevent integer overflow.
+     * Returns true if the addition is successful, false if it would overflow.
+     */
+    template<typename T>
+    bool SafeAdd(T a, T b, T& out)
+    {
+        static_assert(std::is_integral<T>::value, "SafeAdd requires integral types.");
+        if (std::is_unsigned<T>::value)
+        {
+            if (b > std::numeric_limits<T>::max() - a)
+            {
+                return false;
+            }
+        } else
+        {
+            if ((b > 0 && a > std::numeric_limits<T>::max() - b) ||
+                (b < 0 && a < std::numeric_limits<T>::min() - b))
+            {
+                return false;
+            }
+        }
+        out = a + b;
+        return true;
+    }
+
+    /** Safe multiplication to prevent integer overflow.
+     * Returns true if the multiplication is successful, false if it would overflow.
+     */
+    template<typename T>
+    bool SafeMultiply(T a, T b, T& out)
+    {
+        static_assert(std::is_integral<T>::value, "SafeMultiply requires integral types.");
+
+        if (a == 0 || b == 0)
+        {
+            out = 0;
+            return true;
+        }
+
+        if (std::is_unsigned<T>::value)
+        {
+            if (b > std::numeric_limits<T>::max() / a)
+            {
+                return false; // Overflow would occur
+            }
+        }
+        else
+        {
+            if (a == -1 && b == std::numeric_limits<T>::min())
+            {
+                return false;
+            }
+            if (b == -1 && a == std::numeric_limits<T>::min())
+            {
+                return false;
+            }
+
+            if ((a > 0 && b > 0 && a > std::numeric_limits<T>::max() / b) ||
+                (a > 0 && b < 0 && b < std::numeric_limits<T>::min() / a) ||
+                (a < 0 && b > 0 && a < std::numeric_limits<T>::min() / b) ||
+                (a < 0 && b < 0 && a < std::numeric_limits<T>::max() / b))
+            {
+                return false;
+            }
+        }
+
+        out = a * b;
+        return true;
+    }
+
     /** (INTERNAL) Wrap a vector of words into a vector of lines
      *
      * Empty words are skipped. Word "\n" forces wrapping.
@@ -152,17 +222,20 @@ namespace args
 
             auto itemsize = Glyphs(*it);
             
-            // Security fix: Safe comparison that avoids undefined behavior from unsigned integer overflow
-            // The original expression (line.length() + 1 + itemsize) > currentwidth performs addition
-            // of three size_t values which could overflow. This refactored version prevents that.
+            // Refactored to prevent integer overflow
             bool needsWrap = false;
             if (itemsize >= currentwidth)
             {
                 needsWrap = true;
             }
-            else if (line.length() + 1 > currentwidth - itemsize)
+            else
             {
-                needsWrap = true;
+                size_t remainingWidth = (currentwidth > itemsize) ? (currentwidth - itemsize) : 0;
+                size_t nextLength = 0;
+                if (!SafeAdd<std::string::size_type>(line.length(), static_cast<std::string::size_type>(1), nextLength) || nextLength > remainingWidth)
+                {
+                    needsWrap = true;
+                }
             }
             
             if (needsWrap)
@@ -2348,8 +2421,8 @@ namespace args
             bool allowSeparateShortValue = true;
             bool allowSeparateLongValue = true;
 
-            CompletionFlag *completion = nullptr;
             bool readCompletion = false;
+            CompletionFlag *completion = nullptr;
 
         protected:
             enum class OptionType
@@ -2907,12 +2980,17 @@ namespace args
                                 {
                                     size_t prev_idx = idx - 1;  // Safe since we checked idx > 0
                                     curArgs[prev_idx] += "=";
-                                    if (idx + 1 < curArgs.size())
+                                    size_t next_idx = 0;
+                                    if (SafeAdd<size_t>(idx, static_cast<size_t>(1), next_idx) && next_idx < curArgs.size())
                                     {
-                                        curArgs[prev_idx] += curArgs[idx + 1];
+                                        curArgs[prev_idx] += curArgs[next_idx];
                                         // Erase the '=' token and the following value token.
-                                        curArgs.erase(curArgs.begin() + idx,
-                                                     curArgs.begin() + idx + 2);
+                                        size_t erase_end = 0;
+                                        if (SafeAdd<size_t>(next_idx, static_cast<size_t>(1), erase_end))
+                                        {
+                                            curArgs.erase(curArgs.begin() + idx,
+                                                         curArgs.begin() + erase_end);
+                                        }
                                     } else
                                     {
                                         // Safe erase of single '=' token at the end
@@ -3024,7 +3102,7 @@ namespace args
                 } else
                 {
                     this->longseparator = longseparator_;
-                    this->helpParams.longSeparator = allowJoinedLongValue ? longseparator_ : " ";
+                    this->helpParams.longSeparator = allowJoinedLongValue ? longseparator : " ";
                 }
             }
 
@@ -4245,7 +4323,8 @@ namespace args
             typedef std::reverse_iterator<iterator> reverse_iterator;
             typedef std::reverse_iterator<const_iterator> const_reverse_iterator;
 
-            MapFlagList(Group &group_, const std::string &name_, const std::string &help_, Matcher &&matcher_, const Map<K, T> &map_, const Container &defaultValues_ = Container()): ValueFlagBase(name_, help_, std::move(matcher_)), map(map_), values(defaultValues_), defaultValues(defaultValues_)
+            MapFlagList(Group &group_, const std::string &name_, const std::string &help_, Matcher &&matcher_, const Map<K, T> &map_, const Container &defaultValues_ = Container(), Options options_ = {}):
+                ValueFlagBase(name_, help_, std::move(matcher_), options_), map(map_), values(defaultValues_), defaultValues(defaultValues_)
             {
                 group_.Add(*this);
             }
@@ -4883,4 +4962,4 @@ namespace args
 
 #pragma pop_macro("min")
 #pragma pop_macro("max")
-#endif
+#endif
diff --git a/meson.build b/meson.build
@@ -77,6 +77,7 @@ test_names = [
   'required_flags',
   'simple_commands',
   'single_flag_repeat',
+  'safe_arithmetic',
   'subparser_commands',
   'subparser_commands_kickout',
   'subparser_group_validation',
diff --git a/test/safe_arithmetic.cxx b/test/safe_arithmetic.cxx
@@ -0,0 +1,199 @@
+#include "test_common.hxx"
+
+#include <args.hxx>
+
+#include "test_helpers.hxx"
+
+#include <iostream>
+#include <limits>
+
+/** Test suite for checked arithmetic functions
+ * 
+ * This test suite validates the SafeAdd and SafeMultiply helper functions
+ * that prevent integer overflow in width and allocation arithmetic.
+ */
+
+// Test SafeAdd with size_t (the primary type used in Wrap)
+void TestSafeAddSizeT()
+{
+    size_t result;
+
+    // Test normal addition
+    test::require(args::SafeAdd<size_t>(5, 10, result));
+    test::require(result == 15);
+    std::cout << "PASS: SafeAdd normal case (5 + 10 = 15)" << std::endl;
+
+    // Test addition at limit boundary
+    size_t max_val = std::numeric_limits<size_t>::max();
+    test::require_false(args::SafeAdd<size_t>(max_val, 1, result));
+    std::cout << "PASS: SafeAdd overflow detection (SIZE_MAX + 1)" << std::endl;
+
+    // Test addition near limit
+    test::require_false(args::SafeAdd<size_t>(max_val - 5, 10, result));
+    std::cout << "PASS: SafeAdd near-overflow detection (SIZE_MAX - 5 + 10)" << std::endl;
+
+    // Test addition with zero
+    test::require(args::SafeAdd<size_t>(0, 100, result));
+    test::require(result == 100);
+    std::cout << "PASS: SafeAdd with zero (0 + 100 = 100)" << std::endl;
+
+    // Test addition at exact boundary
+    test::require(args::SafeAdd<size_t>(max_val - 5, 5, result));
+    test::require(result == max_val);
+    std::cout << "PASS: SafeAdd exact boundary (SIZE_MAX - 5 + 5 = SIZE_MAX)" << std::endl;
+}
+
+// Test SafeMultiply with size_t
+void TestSafeMultiplySizeT()
+{
+    size_t result;
+
+    // Test normal multiplication
+    test::require(args::SafeMultiply<size_t>(5, 10, result));
+    test::require(result == 50);
+    std::cout << "PASS: SafeMultiply normal case (5 * 10 = 50)" << std::endl;
+
+    // Test multiplication that would overflow
+    size_t max_val = std::numeric_limits<size_t>::max();
+    test::require_false(args::SafeMultiply<size_t>(max_val, 2, result));
+    std::cout << "PASS: SafeMultiply overflow detection (SIZE_MAX * 2)" << std::endl;
+
+    // Test multiplication with zero
+    test::require(args::SafeMultiply<size_t>(0, 1000000, result));
+    test::require(result == 0);
+    std::cout << "PASS: SafeMultiply with zero (0 * 1000000 = 0)" << std::endl;
+
+    // Test large multiplications that overflow (for 64-bit systems)
+    // Use values that will definitely overflow
+    size_t large_val = 10000000000UL;  // 10 billion
+    test::require_false(args::SafeMultiply<size_t>(large_val, large_val, result));
+    std::cout << "PASS: SafeMultiply large value overflow (10B * 10B)" << std::endl;
+
+    // Test multiplication that doesn't overflow
+    size_t safe_val = 1000000UL;  // 1 million
+    test::require(args::SafeMultiply<size_t>(safe_val, safe_val, result));
+    test::require(result == safe_val * safe_val);
+    std::cout << "PASS: SafeMultiply safe value success (1M * 1M)" << std::endl;
+}
+
+// Test SafeAdd with int
+void TestSafeAddInt()
+{
+    int result;
+
+    // Test normal addition
+    test::require(args::SafeAdd<int>(100, 200, result));
+    test::require(result == 300);
+    std::cout << "PASS: SafeAdd int normal case (100 + 200 = 300)" << std::endl;
+
+    // Test negative number handling
+    test::require(args::SafeAdd<int>(-100, 50, result));
+    test::require(result == -50);
+    std::cout << "PASS: SafeAdd int with negative (-100 + 50 = -50)" << std::endl;
+
+    // Test negative operand underflow detection
+    test::require_false(args::SafeAdd<int>(std::numeric_limits<int>::min(), -1, result));
+    std::cout << "PASS: SafeAdd int underflow detection (INT_MIN + -1)" << std::endl;
+
+    // Test int overflow
+    int max_int = std::numeric_limits<int>::max();
+    test::require_false(args::SafeAdd<int>(max_int, 1, result));
+    std::cout << "PASS: SafeAdd int overflow detection (INT_MAX + 1)" << std::endl;
+}
+
+// Test SafeMultiply with int
+void TestSafeMultiplyInt()
+{
+    int result;
+
+    // Test normal multiplication
+    test::require(args::SafeMultiply<int>(10, 20, result));
+    test::require(result == 200);
+    std::cout << "PASS: SafeMultiply int normal case (10 * 20 = 200)" << std::endl;
+
+    // Test multiplication overflow
+    int max_int = std::numeric_limits<int>::max();
+    test::require_false(args::SafeMultiply<int>(max_int, 2, result));
+    std::cout << "PASS: SafeMultiply int overflow detection (INT_MAX * 2)" << std::endl;
+
+    // Test negative multiplication
+    test::require(args::SafeMultiply<int>(-10, 20, result));
+    test::require(result == -200);
+    std::cout << "PASS: SafeMultiply int negative (-10 * 20 = -200)" << std::endl;
+}
+
+// Test Wrap function with boundary conditions
+void TestWrapBoundaryConditions()
+{
+    // Test with very large width that could cause overflow
+    std::vector<std::string> words = {"hello", "world", "test"};
+    
+    // This should not cause overflow or crash
+    auto result = args::Wrap(words.begin(), words.end(), std::numeric_limits<size_t>::max());
+    test::require(!result.empty());
+    std::cout << "PASS: Wrap with SIZE_MAX width" << std::endl;
+
+    // Test with width of 1 (minimal width)
+    result = args::Wrap(words.begin(), words.end(), 1);
+    test::require(!result.empty());
+    std::cout << "PASS: Wrap with width = 1" << std::endl;
+
+    // Test with width of 0 (edge case)
+    result = args::Wrap(words.begin(), words.end(), 0);
+    test::require(!result.empty());
+    std::cout << "PASS: Wrap with width = 0" << std::endl;
+
+    // Test with empty words vector
+    std::vector<std::string> empty_words;
+    result = args::Wrap(empty_words.begin(), empty_words.end(), 80);
+    test::require(result.empty());
+    std::cout << "PASS: Wrap with empty words vector" << std::endl;
+
+    // Test with newline separator
+    std::vector<std::string> words_with_newline = {"hello", "\n", "world"};
+    result = args::Wrap(words_with_newline.begin(), words_with_newline.end(), 80);
+    test::require(result.size() >= 2);
+    std::cout << "PASS: Wrap with newline separator" << std::endl;
+}
+
+// Test Wrap function with large string input
+void TestWrapLargeStringInput()
+{
+    // Test with very long string that could trigger width calculation issues
+    std::string long_string(1000, 'a');
+    
+    auto result = args::Wrap(long_string, 80);
+    test::require(!result.empty());
+    std::cout << "PASS: Wrap long string (1000 chars) with width 80" << std::endl;
+
+    // Test with extremely large width
+    result = args::Wrap(long_string, std::numeric_limits<size_t>::max());
+    test::require(result.size() >= 1);
+    std::cout << "PASS: Wrap long string with SIZE_MAX width" << std::endl;
+
+    // Test with width of 1
+    result = args::Wrap(long_string, 1);
+    test::require(!result.empty());
+    std::cout << "PASS: Wrap long string with width 1" << std::endl;
+}
+
+// Main test runner
+int main()
+{
+    std::cout << "Starting Checked Arithmetic Test Suite\n" << std::endl;
+
+    std::cout << "=== SafeAdd Tests ===" << std::endl;
+    TestSafeAddSizeT();
+    TestSafeAddInt();
+
+    std::cout << "\n=== SafeMultiply Tests ===" << std::endl;
+    TestSafeMultiplySizeT();
+    TestSafeMultiplyInt();
+
+    std::cout << "\n=== Wrap Function Boundary Tests ===" << std::endl;
+    TestWrapBoundaryConditions();
+    TestWrapLargeStringInput();
+
+    std::cout << "\n=== All Tests Passed ===" << std::endl;
+    return 0;
+}
