add stpcpy_s

implemented from scratch, an optimized variant of strcpy_s.
Note that the intel fork also has it, with the same API.

This adds a src termination check, when src is static.

configure.ac

@@ -873,7 +873,7 @@ AC_CHECK_FUNCS([ memset strcmp strcasecmp strcasestr strcspn strpbrk strspn \
         vswprintf vsnwprintf vswscanf mbsrtowcs mbstowcs iswdigit iswspace \
         towlower towupper towctrans bcmp secure_getenv timingsafe_memcmp \
         timingsafe_bcmp explicit_bzero explicit_memset \
-        asctime_r ctime_r gmtime_r localtime_r memccpy])
+        asctime_r ctime_r gmtime_r localtime_r memccpy stpcpy])
 
 dnl add the extensions, pretending we want them
 echo "#define __STDC_WANT_LIB_EXT1__  1" >>confdefs.h

include/safe_str_lib.h

@@ -245,6 +245,14 @@ EXTERN size_t strerrorlen_s(errno_t errnum);
 
 #ifndef SAFECLIB_DISABLE_EXTENSIONS
 
+/* improved strcpy */
+EXTERN char *_stpcpy_s_chk(char *restrict dest, rsize_t dmax,
+                           const char *restrict src, errno_t *restrict errp,
+                           const size_t destbos, const size_t srcbos)
+  BOS_CHK(dest) BOS_NULL(src) BOS_NULL(errp);
+#define stpcpy_s(dest, dmax, src, errp)                                     \
+    _stpcpy_s_chk(dest, dmax, src, errp, BOS(dest), BOS(src))
+
 /* string compare */
 EXTERN errno_t _strcmp_s_chk(const char *dest, rsize_t dmax, const char *src,
                              int *resultp, const size_t destbos,

src/Makefile.am

@@ -85,6 +85,7 @@ STD_UNSAFE_FILES = \
 	io/tmpnam_s.c
 
 EXT_STR_FILES = \
+	extstr/stpcpy_s.c            \
 	extstr/strcasecmp_s.c        \
 	extstr/strcasestr_s.c        \
 	extstr/strcmp_s.c            \

src/extstr/stpcpy_s.c

@@ -0,0 +1,252 @@
+/*------------------------------------------------------------------
+ * stpcpy_s.c
+ *
+ * November 2020, Reini Urban
+ *
+ * Copyright (c) 2020 by Reini Urban
+ * All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *------------------------------------------------------------------
+ */
+
+#ifdef FOR_DOXYGEN
+#include "safe_str_lib.h"
+#else
+#include "safeclib_private.h"
+#endif
+
+/* TODO not via the naive byte copy, but aligned long word copy
+   via the (((X) - 0x0101010101010101) & ~(X) & 0x8080808080808080)
+   trick */
+
+/**
+ * @def stpcpy_s(dest,dmax,src,errp)
+ * @brief
+ *    The stpcpy_s function copies the string pointed to by src
+ *    (including the terminating null character) into the array
+ *    pointed to by dest. The strings my not overlap.
+ *    With SAFECLIB_STR_NULL_SLACK defined all elements following the
+ *    terminating null character (if any) written by stpcpy_s in the
+ *    array of dmax characters pointed to by dest are nulled when
+ *    stpcpy_s returns.
+ *    With modern compilers and constant arguments most errors
+ *    will be caught at compile-time.
+ *
+ * @remark SPECIFIED IN
+ *    * Since glibc 2.10:  _POSIX_C_SOURCE >= 200809L
+ *    * Before glibc 2.10:  _GNU_SOURCE
+ *
+ * @param[out]  dest  pointer to string that will be replaced by src.
+ * @param[in]   dmax  restricted maximum length of dest
+ * @param[in]   src   pointer to the string that will be copied to dest
+ * @param[out]  err   EOK        when successful operation, the characters in src were
+ *                               copied into dest and the result is null terminated.
+ *                    ESNULLP    when dest or src is a NULL pointer
+ *                    ESZEROL    when dmax = 0
+ *                    ESLEMAX    when dmax > RSIZE_MAX_STR
+ *                    EOVERFLOW  when dmax > size of dest (optionally, when the compiler
+ *                               knows the object_size statically)
+ *                    ESLEWRNG   when dmax != size of dest and --enable-error-dmax
+ *                    ESUNTERM   when src is unterminated
+ *                    ESOVRLP    when strings overlap
+ *                    ESNOSPC    when dest < src
+ *
+ * @pre Neither dest, src nor err nor shall be a null pointer.
+ * @pre dmax shall be size of dest
+ * @pre dmax shall not be greater than RSIZE_MAX_STR or size of dest.
+ * @pre dmax shall not equal zero.
+ * @pre dmax shall be greater than strnlen_s(src, dmax).
+ * @pre Copying shall not take place between objects that overlap.
+ *
+ * @note C11 uses RSIZE_MAX, not RSIZE_MAX_STR.
+ *
+ * @return  stpcpy_s() returns a pointer to the end of the string dest (that is,
+ *          the address of the terminating null byte) rather than the beginning.
+ * @return  If there is a runtime-constraint violation, and if dest
+ *          and dmax are valid, then stpcpy_s nulls dest.
+ *
+ * @see
+ *    stpncpy_s(), strcpy_s(), strncpy_s()
+ *
+ */
+#ifdef FOR_DOXYGEN
+char *stpcpy_s(char *restrict dest, rsize_t dmax, const char *restrict src,
+               errno_t *restrict err)
+#else
+EXPORT char *_stpcpy_s_chk(char *restrict dest, rsize_t dmax,
+                           const char *restrict src, errno_t *restrict err,
+                           const size_t destbos, const size_t srcbos)
+#endif
+{
+    rsize_t orig_dmax = dmax;
+    char* orig_dest = dest;
+    const char *overlap_bumper;
+    size_t slen;
+
+    if (unlikely(err == NULL)) {
+        invoke_safe_str_constraint_handler("stpcpy_s: err is null",
+                                           (void *)dest, ESNULLP);
+        return NULL;
+    }
+    if (unlikely(dest == NULL)) {
+        invoke_safe_str_constraint_handler("stpcpy_s: dest is null",
+                                           (void *)dest, ESNULLP);
+        *err = RCNEGATE(ESNULLP);
+        return NULL;
+    }
+    if (unlikely(dmax == 0)) {
+        invoke_safe_str_constraint_handler("stpcpy_s: dmax is 0", (void *)dest,
+                                           ESNULLP);
+        *err = RCNEGATE(ESZEROL);
+        return NULL;
+    }
+    if (destbos == BOS_UNKNOWN) {
+        if (unlikely(dmax > RSIZE_MAX_STR)) {
+            invoke_safe_str_constraint_handler("stpcpy_s: dmax exceeds max",
+                                               (void *)dest, ESLEMAX);
+            *err = RCNEGATE(ESLEMAX);
+            return NULL;
+        }
+        BND_CHK_PTR_BOUNDS(dest, dmax);
+    } else {
+        if (unlikely(dmax > destbos)) {
+            if (dmax > RSIZE_MAX_STR) {
+                handle_error(dest, destbos, "stpcpy_s: dmax exceeds max",
+                             ESLEMAX);
+                *err = RCNEGATE(ESLEMAX);
+                return NULL;
+            } else {
+                *err = handle_str_bos_overload("stpcpy_s: dmax exceeds dest",
+                                               (char *)dest, destbos);
+                return NULL;
+            }
+        }
+    }
+    if (unlikely(src == NULL)) {
+        handle_error(dest, _BOS_KNOWN(dest) ? BOS(dest) : dmax,
+                     "strpcpy_s: src is null", ESNULLP);
+        *err = RCNEGATE(ESNULLP);
+        return NULL;
+    }
+    slen = 0;
+
+    if (unlikely(dest == src)) {
+        /* walk to the terminating null character */
+        while (dmax > 0) {
+            if (*dest == '\0') {
+                goto eok;
+            }
+            dmax--;
+            dest++;
+        }
+        goto enospc;
+    }
+
+    if (dest < src) {
+        overlap_bumper = src;
+
+        while (dmax > 0) {
+            if (unlikely(dest == overlap_bumper)) {
+                handle_error(orig_dest, orig_dmax,
+                             "stpcpy_s: "
+                             "overlapping objects",
+                             ESOVRLP);
+                *err = RCNEGATE(ESOVRLP);
+                return NULL;
+            }
+
+            *dest = *src;
+            if (*dest == '\0')
+                goto eok;
+            dmax--;
+            slen++;
+            dest++;
+            src++;
+            /* sentinel srcbos -1 = ULONG_MAX */
+            if (unlikely(slen >= srcbos)) {
+                invoke_safe_str_constraint_handler("stpcpy_s: src unterminated",
+                                                   (void *)src, ESUNTERM);
+                *err = RCNEGATE(ESUNTERM);
+                return NULL;
+            }
+        }
+    } else {
+        overlap_bumper = dest;
+
+        while (dmax > 0) {
+            if (unlikely(src == overlap_bumper)) {
+                handle_error(orig_dest, orig_dmax,
+                             "stpcpy_s: "
+                             "overlapping objects",
+                             ESOVRLP);
+                *err = RCNEGATE(ESOVRLP);
+                return NULL;
+            }
+
+            *dest = *src;
+            if (*dest == '\0') {
+              eok:
+#ifdef SAFECLIB_STR_NULL_SLACK
+                /* null slack to clear any data */
+                if (dmax > 0x20)
+                    memset(dest, 0, dmax);
+                else {
+                    while (dmax) {
+                        *dest = '\0';
+                        dmax--;
+                        dest++;
+                    }
+                }
+#endif
+                *err = RCNEGATE(EOK);
+                return dest;
+            }
+
+            dmax--;
+            slen++;
+            dest++;
+            src++;
+            if (unlikely(slen >= srcbos)) {
+                invoke_safe_str_constraint_handler("stpcpy_s: src unterminated",
+                                                   (void *)src, ESUNTERM);
+                *err = RCNEGATE(ESUNTERM);
+                return NULL;
+            }
+        }
+    }
+
+  enospc:
+    /*
+     * the entire src must have been copied, if not reset dest
+     * to null the string. (only with SAFECLIB_STR_NULL_SLACK)
+     */
+    handle_error(orig_dest, orig_dmax,
+                 "stpcpy_s: not enough space for src",
+                 ESNOSPC);
+    *err = RCNEGATE(ESNOSPC);
+    return NULL;
+}
+#ifdef __KERNEL__
+EXPORT_SYMBOL(_stpcpy_s_chk);
+#endif /* __KERNEL__ */
+

src/extstr/strcmp_s.c

@@ -62,7 +62,7 @@
  * @retval   0         when strings the same
  * @retval  <0         when dest less than src
  * @retval  EOK        when comparison is complete
- * @retval  ESUNTERM   when dest or src is unterminated, or dmax is too small.
+ * @retval  ESUNTERM   when src is unterminated
  * @retval  ESNULLP    when dest/src/resultp is NULL pointer
  * @retval  ESZEROL    when dmax = 0
  * @retval  ESLEMAX    when dmax > RSIZE_MAX_STR

tests/Makefile.am

@@ -118,6 +118,7 @@ SAFEC_BUILT_TESTS += \
 	t_memzero_s           \
 	t_memzero32_s         \
 	t_memzero16_s         \
+	t_stpcpy_s            \
 	t_strcasecmp_s        \
 	t_strcasestr_s        \
 	t_strcmp_s            \
@@ -429,6 +430,7 @@ t_memset16_s_SOURCES          = test_memset16_s.c $(SAFEC_TEST_COMMON) test_expm
 t_memzero_s_SOURCES           = test_memzero_s.c $(SAFEC_TEST_COMMON) test_expmem.h
 t_memzero32_s_SOURCES         = test_memzero32_s.c $(SAFEC_TEST_COMMON) test_expmem.h
 t_memzero16_s_SOURCES         = test_memzero16_s.c $(SAFEC_TEST_COMMON) test_expmem.h
+t_stpcpy_s_SOURCES            = test_stpcpy_s.c $(SAFEC_TEST_COMMON)
 t_strcasecmp_s_SOURCES        = test_strcasecmp_s.c $(SAFEC_TEST_COMMON)
 t_strcasestr_s_SOURCES        = test_strcasestr_s.c $(SAFEC_TEST_COMMON)
 t_strcmpfld_s_SOURCES         = test_strcmpfld_s.c $(SAFEC_TEST_COMMON)

tests/test_msvcrt.h

@@ -116,6 +116,7 @@ void _errno_msvc(const int n, const int winerr, int *errp, const char *f,
 #undef wmemcmp_s
 #undef strcat_s
 #undef strcpy_s
+#undef stpcpy_s
 #undef strncat_s
 #undef strncpy_s
 #undef strnlen_s