Release v03032018 3.3.0

See ChangeLog

Author: rurban

ChangeLog

@@ -1,7 +1,7 @@
 
                 ChangeLog file for safeclib
 
-Changes in v??032018 3.3.0
+Changes in v03032018 3.3.0
         - Added compile-time and run-time object_size checks (BOS), resulting
           in EOVERFLOW error codes. Compilers only do this reliably with static
           arrays, less so with literal strings. With known static allocation size
@@ -15,7 +15,7 @@ Changes in v??032018 3.3.0
           memcpy native, with gcc only 77% slower.
           Added more benchmarks and improved the timing.
         - Made the unsafe functions snprintf_s, vsnprintf_s, snwprintf_s, vsnwprintf_s
-          safe by guaranteeing null termination. Only tmpnam_s remains unsafe.
+          safe by guaranteeing null termination. Only tmpnam_s remains unsafe. (GH #52)
         - Added strnatcmp_s, strnatcasecmp_s
         - Add --disable-constraint-handler option. undef the run-time
           invoke_safe_{str,mem}_constraint_handler function calls
@@ -45,7 +45,7 @@ Changes in v??032018 3.3.0
         - More hardening with gcc-7.3/clang-7: Probe for -Wl,-z,textonly and
           -Wl,-z,retpolineplt, currently only with lld-7
         - Fixed wcsnorm_compose_s >RSIZE_MAX_WSTR integer overflow
-        - Fixed overlap checks to be C11 conformant, cast to uintptr_t.
+        - Fixed overlap checks to be C11 conformant, cast to uintptr_t. (GH #51)
         - add strnatcmp_s, add strcmp_s src overflow checks,
           ESUNTERM for src to avoid overflows
         - Reworked C11 compatibility to closer align with the existing Windows+BSD

Makefile.am

@@ -620,4 +620,3 @@ release: docs distcheck
 	git commit -m"Update to v`date +%d%m%Y`"
 	git push
 	git checkout master
-	build-tools/autogen.sh

README

@@ -93,9 +93,8 @@ The TR24731 specification says an implementation may set errno for the
 functions defined in the technical report, but is not required to.
 This library does not set `errno` in most functions, only in
 bsearch_s, fscanf_s, fwscanf_s, gets_s, gmtime_s, localtime_s,
-scanf_s, sprintf_s, sscanf_s, swprintf_s, swscanf_s, strtok_s, vfscanf_s,
-vfwscanf_s, vsscanf_s vsprintf_s, vswprintf_s, vswscanf_s, wcstok_s,
-wscanf_s.
+scanf_s, sscanf_s, swscanf_s, strtok_s, vfscanf_s,
+vfwscanf_s, vsscanf_s, vswscanf_s, wcstok_s, wscanf_s.
 
 In most cases the safeclib extended ES* errors do not set errno, only
 when the underlying insecure system call fails, errno is set.  The
@@ -113,11 +112,14 @@ Per the spec, multiple runtime-constraint violations in the same call to a
 library function result in only one call to the runtime-constraint handler.
 The first violation encountered invokes the runtime-constraint handler.
 
+With `--disable-constraint-handler` calling the runtime-constraint handler
+can be disabled, saving some memory, but not much run-time performance.
+
 The runtime-constraint handler might not return. If the handler does
 return, the library function whose runtime-constraint was violated
 returns an indication of failure as given by the function’s return.
 With valid dest and dmax values, dest is cleared. With the optional
---disable-null-slack only the first value of dest is cleared,
+`--disable-null-slack` only the first value of dest is cleared,
 otherwise the whole dest buffer.
 
 rsize_t::
@@ -141,9 +143,9 @@ are performed at compile-time.  Currently only since clang-5 with
 `diagnose_if` support. This checks similar to `_FORTIFY_SOURCE=2` if
 the `__builtin_object_size` of the dest buffer is the same size as
 dmax, and errors if dmax is too big. With the optional
---enable-warn-dmax it prints a warning if the sizes are different,
+`--enable-warn-dmax` it prints a warning if the sizes are different,
 which is esp. practical as compile-time warning. It can be promoted
-via the optional --enable-error-dmax to be fatal. On unsupported
+via the optional `--enable-error-dmax` to be fatal. On unsupported
 compilers, the overflow check and optional equality warn-dmax check is
 deferred to run-time. This check is only possible with
 `__builtin_object_size` and `-O2` when the dest buffer size is known
@@ -152,11 +154,14 @@ at compile-time, otherwise only the simplier `dest == NULL`, `dmax ==
 
 * Header Files
 
-The specification states the various functions would be added to existing
-Standard C header files: stdio.h, string.h, etc.  This implementation
-separates the memory related functions into the `safe_mem_lib.h` header, the
-string related functions into the `safe_str_lib.h` header, and the rest into
-the `safe_lib.h` header.
+The specification states the various functions would be added to
+existing Standard C header files: stdio.h, string.h, etc.  This
+implementation separates the memory related functions into the
+`safe_mem_lib.h` header, the string related functions into the
+`safe_str_lib.h` header, and the rest into the `safe_lib.h`
+header. There are also the internal `safe_compile.h`, `safe_config.h`
+`safe_lib_errno.h` and `safe_types.h` headers, but they do not need to
+be included.
 
 The make file builds a single library `libsafec-VERSION.a` and `.so` in the
 `src/.libs` directory.
@@ -256,7 +261,7 @@ with most available compilers. See `build-tools/smoke.sh`.
 Known Issues
 ------------
 1. If you are building the library from the git repository you will have to
-   first run build-tools/autogen.sh which runs autoreconf to ``install'' the
+   first run `build-tools/autogen.sh` which runs autoreconf to ``install'' the
    autotools files and create the configure script.
 
 [bibliography]

doc/libc-overview.md

@@ -10,11 +10,12 @@ From the following tested libc implementations:
 * FreeBSD and DragonFly libc
 * FreeBSD-derived darwin libc
 * OpenBSD libc
-* newlib
+* newlib (Cygwin)
 * dietlibc
 * uClibc
 * minilibc
-* Microsoft Windows w/ secure API
+* Microsoft Windows under wine
+* Microsoft Windows msvcrt and ulibc w/ secure API
 * Android Bionic
 * Embarcadero C++ libc
 
@@ -49,12 +50,9 @@ See also http://crashcourse.housegordon.org/coreutils-multibyte-support.html
 
 # C11 Annex K/safec caveats
 
-* `snprintf_s`, `vsnprintf_s`, `snwprintf_s`, `vsnwprintf_s`, `tmpnam_s`:
+* `tmpnam_s`:
 
-  They are all considered unsafe. The 4 'n' truncating printf versions
-  don't guarantee null-delimited destination buffers.
-
-* `tmpnam_s` and `tmpnam` are racy.
+  Is considered unsafe. `tmpnam_s` and `tmpnam` are racy.
 
 * `sprintf_s` and `vsprintf_s` retval on errors.
 
@@ -90,14 +88,15 @@ See also http://crashcourse.housegordon.org/coreutils-multibyte-support.html
 
 * no `RSIZE_MAX`
 
-* `memmove_s` does not clear dest with ERANGE when count > dmax and EINVAL when
+* `memmove_s` does not clear dest with ERANGE when `count > dmax` and EINVAL when
   src is a NULL pointer.
 
 * `vsprintf_s`, `sprintf_s` return `-1` on all errors, not just encoding errors.
   (Wrong standard)
 
-* With `wcsrtombs` (used by `wcsrtomb_s`) the `*retval` result includes the terminating
-  zero, i.e. the result is `+1` from the spec.
+* With `wcsrtombs` (used by `wcsrtomb_s`) the `*retval` result
+  includes the terminating zero, i.e. the result is `+1` from the
+  spec.
 
 ## safeclib
 
@@ -194,4 +193,4 @@ compile-time known sizes the FORTIFY `_chk` extension secures against
 overflows, but not against dynamically allocated buffers. This library
 was written 2008 under the MIT license, thanks Cisco.
 
-Reini Urban 2017
+Reini Urban 2018