## Description
This PR replaces `wcslen` with `wcsnlen` in the Windows runner template
and all example/dev/integration test files to address CWE-126 (Buffer
Over-read) flagged by static analysis tools (Semgrep/GitLab SAST).
## Changes
The `Utf8FromUtf16` function now uses `wcsnlen` with the
`UNICODE_STRING_MAX_CHARS` constant (32767) as the maximum length,
providing defensive programming against potential buffer over-reads.
**Key improvements:**
1. Calculate `input_length` **first** using `wcsnlen(utf16_string,
UNICODE_STRING_MAX_CHARS)`
2. Use that bounded length for **both** `WideCharToMultiByte` calls
(eliminates the `-1` unbounded read)
3. Remove the `-1` adjustment since explicit length excludes null
terminator
4. Use `static_cast` instead of C-style casts per Google C++ Style Guide
## Test Coverage
Added comprehensive edge case tests for `Utf8FromUtf16` in
`windows_startup_test`:
- **nullptr input**: Verifies function returns empty string
- **Empty string input**: Verifies function returns empty string
- **Invalid UTF-16 (unpaired surrogate)**: Verifies function handles
malformed input gracefully
These tests address reviewer feedback from @loic-sharma requesting
coverage for corner cases.
## Files Updated
**Template (source of truth):**
- `packages/flutter_tools/templates/app/windows.tmpl/runner/utils.cpp`
**Integration tests (4 files):**
- `dev/integration_tests/flutter_gallery/windows/runner/utils.cpp`
- `dev/integration_tests/ui/windows/runner/utils.cpp`
- `dev/integration_tests/windowing_test/windows/runner/utils.cpp`
- `dev/integration_tests/windows_startup_test/windows/runner/utils.cpp`
**Examples and dev apps (10 files):**
- `examples/hello_world/windows/runner/utils.cpp`
- `examples/layers/windows/runner/utils.cpp`
- `examples/platform_view/windows/runner/utils.cpp`
- `examples/flutter_view/windows/runner/utils.cpp`
- `examples/platform_channel/windows/runner/utils.cpp`
- `examples/api/windows/runner/utils.cpp`
- `examples/multiple_windows/windows/runner/utils.cpp`
- `dev/manual_tests/windows/runner/utils.cpp`
- `dev/benchmarks/complex_layout/windows/runner/utils.cpp`
- `dev/a11y_assessments/windows/runner/utils.cpp`
**Test files (4 files):**
-
`dev/integration_tests/windows_startup_test/windows/runner/flutter_window.cpp`
- `dev/integration_tests/windows_startup_test/lib/main.dart`
- `dev/integration_tests/windows_startup_test/lib/windows.dart`
-
`dev/integration_tests/windows_startup_test/test_driver/main_test.dart`
## Rationale
While the Windows API guarantees null-termination for strings returned
by `CommandLineToArgvW`, using `wcsnlen` with an explicit bound is a
defensive programming best practice that:
- Satisfies static analysis tools
- Provides an extra safety layer
- Follows the principle of defense in depth
The limit of 32767 (`UNICODE_STRING_MAX_CHARS`) is the maximum length of
a `UNICODE_STRING` structure and is far beyond any realistic
command-line argument length.
## Related Issues
Fixes https://github.com/flutter/flutter/issues/180418
## Pre-launch Checklist
- [x] I read the [Contributor Guide] and followed the process outlined
there for submitting PRs.
- [x] I read the [Tree Hygiene] wiki page, which explains my
responsibilities.
- [x] I read and followed the [Flutter Style Guide], including [Features
we expect every widget to implement].
- [x] I signed the [CLA].
- [x] I listed at least one issue that this PR fixes in the description
above.
- [x] I updated/added relevant documentation (doc comments with `///`).
- [x] I added new tests to check the change I am making, or this PR is
[test-exempt].
- [x] I followed the [breaking change policy] and labeled this PR with
`severe: API break` if it contains a breaking change.
- [x] All existing and new tests are passing.
[Contributor Guide]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#overview
[Tree Hygiene]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md
[test-exempt]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#tests
[Flutter Style Guide]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Style-guide-for-Flutter-repo.md
[Features we expect every widget to implement]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement
[CLA]: https://cla.developers.google.com/
[breaking change policy]:
https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#breaking-changes
Previously, we were comparing the signed int `target_length` (returned by WideCharToMultiByte) to a size_t string length, resulting in a signed/unsigned comparison warning as follows:
```
windows\runner\utils.cpp(54,43): warning C4018: '>': signed/unsigned mismatch
```
WideCharToMultiByte returns:
* 0 on error
* the number of bytes written to the buffer pointed to by its fifth parameter, lpMultiByteStr, on success.
As a result it's safe to store the return value in an unsigned int, which eliminates the warning.
No changes to tests since this is dependent on end-user project settings/modifications and does not trigger a warning with default project settings.
Fixes: https://github.com/flutter/flutter/issues/134227
This patch adds an additional check to ensure the target length of a string is within the supported maximum string length prior to calling WideCharToMultiByte/MultiByteToWideChar in the Windows runner template.
This is to prevent resize() from failing if called with a count > std::string::max_size().
According to Win32 API docs (WideCharToMultiByte, MultiByteToWideChar) it's the caller responsibility to make sure the buffers are correctly allocated.
Authored by: Tomasz Gucio <tgucio@gmail.com>
This extracts the sample code out from the API doc comments, and places them in separate files on disk, allowing running of the examples locally, testing them, and building of slightly larger examples.
