mirror of
https://github.com/flutter/flutter.git
synced 2026-02-20 02:29:02 +08:00
99e01e108a
## Description This PR replaces `wcslen` with `wcsnlen` in the Windows runner template and all example/dev/integration test files to address CWE-126 (Buffer Over-read) flagged by static analysis tools (Semgrep/GitLab SAST). ## Changes The `Utf8FromUtf16` function now uses `wcsnlen` with the `UNICODE_STRING_MAX_CHARS` constant (32767) as the maximum length, providing defensive programming against potential buffer over-reads. **Key improvements:** 1. Calculate `input_length` **first** using `wcsnlen(utf16_string, UNICODE_STRING_MAX_CHARS)` 2. Use that bounded length for **both** `WideCharToMultiByte` calls (eliminates the `-1` unbounded read) 3. Remove the `-1` adjustment since explicit length excludes null terminator 4. Use `static_cast` instead of C-style casts per Google C++ Style Guide ## Test Coverage Added comprehensive edge case tests for `Utf8FromUtf16` in `windows_startup_test`: - **nullptr input**: Verifies function returns empty string - **Empty string input**: Verifies function returns empty string - **Invalid UTF-16 (unpaired surrogate)**: Verifies function handles malformed input gracefully These tests address reviewer feedback from @loic-sharma requesting coverage for corner cases. ## Files Updated **Template (source of truth):** - `packages/flutter_tools/templates/app/windows.tmpl/runner/utils.cpp` **Integration tests (4 files):** - `dev/integration_tests/flutter_gallery/windows/runner/utils.cpp` - `dev/integration_tests/ui/windows/runner/utils.cpp` - `dev/integration_tests/windowing_test/windows/runner/utils.cpp` - `dev/integration_tests/windows_startup_test/windows/runner/utils.cpp` **Examples and dev apps (10 files):** - `examples/hello_world/windows/runner/utils.cpp` - `examples/layers/windows/runner/utils.cpp` - `examples/platform_view/windows/runner/utils.cpp` - `examples/flutter_view/windows/runner/utils.cpp` - `examples/platform_channel/windows/runner/utils.cpp` - `examples/api/windows/runner/utils.cpp` - `examples/multiple_windows/windows/runner/utils.cpp` - `dev/manual_tests/windows/runner/utils.cpp` - `dev/benchmarks/complex_layout/windows/runner/utils.cpp` - `dev/a11y_assessments/windows/runner/utils.cpp` **Test files (4 files):** - `dev/integration_tests/windows_startup_test/windows/runner/flutter_window.cpp` - `dev/integration_tests/windows_startup_test/lib/main.dart` - `dev/integration_tests/windows_startup_test/lib/windows.dart` - `dev/integration_tests/windows_startup_test/test_driver/main_test.dart` ## Rationale While the Windows API guarantees null-termination for strings returned by `CommandLineToArgvW`, using `wcsnlen` with an explicit bound is a defensive programming best practice that: - Satisfies static analysis tools - Provides an extra safety layer - Follows the principle of defense in depth The limit of 32767 (`UNICODE_STRING_MAX_CHARS`) is the maximum length of a `UNICODE_STRING` structure and is far beyond any realistic command-line argument length. ## Related Issues Fixes https://github.com/flutter/flutter/issues/180418 ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and labeled this PR with `severe: API break` if it contains a breaking change. - [x] All existing and new tests are passing. [Contributor Guide]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/master/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/master/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [breaking change policy]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#breaking-changes
74 lines
2.3 KiB
C++
74 lines
2.3 KiB
C++
// Copyright 2014 The Flutter Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "utils.h"
|
|
|
|
#include <flutter_windows.h>
|
|
#include <io.h>
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
#include <iostream>
|
|
|
|
void CreateAndAttachConsole() {
|
|
if (::AllocConsole()) {
|
|
FILE *unused;
|
|
if (freopen_s(&unused, "CONOUT$", "w", stdout)) {
|
|
_dup2(_fileno(stdout), 1);
|
|
}
|
|
if (freopen_s(&unused, "CONOUT$", "w", stderr)) {
|
|
_dup2(_fileno(stdout), 2);
|
|
}
|
|
std::ios::sync_with_stdio();
|
|
FlutterDesktopResyncOutputStreams();
|
|
}
|
|
}
|
|
|
|
std::vector<std::string> GetCommandLineArguments() {
|
|
// Convert the UTF-16 command line arguments to UTF-8 for the Engine to use.
|
|
int argc;
|
|
wchar_t** argv = ::CommandLineToArgvW(::GetCommandLineW(), &argc);
|
|
if (argv == nullptr) {
|
|
return std::vector<std::string>();
|
|
}
|
|
|
|
std::vector<std::string> command_line_arguments;
|
|
|
|
// Skip the first argument as it's the binary name.
|
|
for (int i = 1; i < argc; i++) {
|
|
command_line_arguments.push_back(Utf8FromUtf16(argv[i]));
|
|
}
|
|
|
|
::LocalFree(argv);
|
|
|
|
return command_line_arguments;
|
|
}
|
|
|
|
std::string Utf8FromUtf16(const wchar_t* utf16_string) {
|
|
if (utf16_string == nullptr) {
|
|
return std::string();
|
|
}
|
|
// First, find the length of the string with a safe upper bound (CWE-126).
|
|
// UNICODE_STRING_MAX_CHARS (32767) is the maximum length of a UNICODE_STRING.
|
|
int input_length = static_cast<int>(wcsnlen(utf16_string, UNICODE_STRING_MAX_CHARS));
|
|
// Now use that bounded length to determine the required buffer size.
|
|
// When an explicit length is passed, WideCharToMultiByte does not include
|
|
// the null terminator in its returned size.
|
|
int target_length = ::WideCharToMultiByte(
|
|
CP_UTF8, WC_ERR_INVALID_CHARS, utf16_string,
|
|
input_length, nullptr, 0, nullptr, nullptr);
|
|
std::string utf8_string;
|
|
if (target_length == 0 || static_cast<size_t>(target_length) > utf8_string.max_size()) {
|
|
return utf8_string;
|
|
}
|
|
utf8_string.resize(target_length);
|
|
int converted_length = ::WideCharToMultiByte(
|
|
CP_UTF8, WC_ERR_INVALID_CHARS, utf16_string,
|
|
input_length, utf8_string.data(), target_length, nullptr, nullptr);
|
|
if (converted_length == 0) {
|
|
return std::string();
|
|
}
|
|
return utf8_string;
|
|
}
|