From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 18 Aug 2021 12:03:10 +0000 (+0200)
Subject: stdio-util: give snprintf_ok() some love
X-Git-Tag: v250-rc1~805^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3832cb90ba1557d5fe0e24f0b280bfefe44a2406;p=thirdparty%2Fsystemd.git

stdio-util: give snprintf_ok() some love

as per docs snprintf() can fail in which case it returns -1. The
snprintf_ok() macro so far unconditionally cast the return value of
snprintf() to size_t, which would turn -1 to (size_t) INT_MAX,
presumably, at least on 2 complements system.

Let's be more careful with types here, and first check if return value
is positive, before casting to size_t.

Also, while we are at it, let's return the input buffer as return value
or NULL instead of 1 or 0. It's marginally more useful, but more
importantly, is more inline with most of our other codebase that
typically doesn't use booleans to signal success.

All uses of snprintf_ok() don't care for the type of the return, hence
this change does not propagate anywhere else.
---

diff --git a/src/basic/stdio-util.h b/src/basic/stdio-util.h
index 0ed48b3fd4b..69d7062ec6f 100644
--- a/src/basic/stdio-util.h
+++ b/src/basic/stdio-util.h
@@ -9,8 +9,13 @@
 #include "macro.h"
 #include "memory-util.h"
 
-#define snprintf_ok(buf, len, fmt, ...) \
-        ((size_t) snprintf(buf, len, fmt, __VA_ARGS__) < (len))
+#define snprintf_ok(buf, len, fmt, ...)                                \
+        ({                                                             \
+                char *_buf = (buf);                                    \
+                size_t _len = (len);                                   \
+                int _snpf = snprintf(_buf, _len, (fmt), __VA_ARGS__);  \
+                _snpf >= 0 && (size_t) _snpf < _len ? _buf : NULL;     \
+        })
 
 #define xsprintf(buf, fmt, ...) \
         assert_message_se(snprintf_ok(buf, ELEMENTSOF(buf), fmt, __VA_ARGS__), "xsprintf: " #buf "[] must be big enough")