cmlsharp/cs50-hardened.c

in GetInt
line 194, should you not also check INT_MIN ?

in GetString
line 280, pretty sure that should be < SIZE_MAX not <=...

line 308, why are you freeing the buffer and returning NULL if you couldn't allocate the minimal amount of space? You already have the input stored in the buffer, that part's just trying to minimize wasted space by freeing the unused space, if it can't manage to allocate that minimal space there's no reason to cause the function to "fail". Just return the full buffer or make an attempt with realloc to minimize it "in place" (not sure if realloc ever would do that, but it's a theoretical possibility). edit: 0 terminate before returning of course.

line 308 continuation-sort of: not sure if a capacity == n check would be worth it here or not (to decide if you already have a minimal buffer)... probably doesn't happen often enough to be worth the check unless you expand that suggestion to capacity - n > SOME_ACCEPTABLE_SIZE.

Fixed your first two critiques (thanks for that)

As for the t one, should I have it call realloc? If malloc failed to alocate memory why should realloc be able to? Would it be better to return a larger sized array? That means there are some inconsistencies with how the function operates I suppose but strlen() would still work as expected.

@crossroads1112

If you want to try everything possible to not waste space then call realloc, if not then just return the larger memory (the caller will never know the difference).

If malloc failed to alocate memory why should realloc be able to?

the man page for realloc says: "The realloc() function changes the size of the memory block pointed to by ptr to size bytes. The contents will be unchanged in the range from the start of the region up to the minimum of the old and new sizes."

It does not say that it necessarily mallocs memory of the new size, copies the memory and frees the old buffer, it says it changes the size. That means it could very will be written such that when the new size is smaller than the old size it simply adds a new node to the free memory list with a size of "current - new" and the address of ptr+new (or the equivalent if heap management hasn't been implemented using a linked list of free memory, http://web.eecs.utk.edu/~huangj/cs360/360/notes/Malloc2/lecture.html). Of course, it might simply decide that it doesn't care as long as it's as big as it's supposed to be. Depends on the implementation. Here's one for reference http://sourceforge.net/p/openfoam-extend/svn/717/tree//thirdparty/malloc/gmalloc/realloc.c, (I'm sure you could find others, ubuntu's source for instance, though I didn't feel like taking a couple hours to download a few hundred megabytes... https://wiki.ubuntu.com/Kernel/SourceCode).

@FreeER

Thanks lot for the explanation! Why would malloc() be used in the original implementation to create minimal at all? Why not just use realloc on buffer and avoid using strncpy()?

Edit: did some reading
http://www.iso-9899.info/wiki/Why_not_realloc

Calling realloc is sometimes slower than malloc and you are guaranteed not to lose your array if realloc were to fail.

After reading that an important thing to note with my modifications to GetString() would be that as the input approaches SIZE_MAX, it would progressively get slower as realloc() is somewhat expensive and would be called more and more often. I'm going to remove the capacity+=1 condition because it seems silly for realloc to be called for one single character.

I have to use realloc because in the case that capacity == n, I won't have room for the NULL byte. Thus I've updated my proposed solution above.

@crossroads1112

Ah, just noticed but you've introduced a bug on line 312. If minimal is NULL and realloc succeeds and it does so without moving the memory then since you set minimal to tmp which is the same place as the buffer and later free the buffer before returning, you've then freed the memory where minimal was pointing thus the pointer that you're returning to the caller doesn't point to valid memory.

you are guaranteed not to lose your array if realloc were to fail.

Isn't this guaranteed by realloc as well as long as you don't do something like:
buffer = realloc(buffer, newSize);

If realloc() fails the original block is left untouched; it is not freed or moved.

but yeah, I can see realloc being a bit slower since it has to handle multiple scenarios (you can see that just from the man page, NULL pointer makes it the equivalent of calling malloc, 0 size makes it the equivalent of free, then if it had to allocate memory elsewhere it has to copy the data etc.). However, In this scenario, where you're copying the data anyways, I'm not sure that malloc is really any better of a choice... and it'd be a bit simpler with just a realloc call... perhaps there's some extra detail I'm not seeing or maybe it was just what the dev chose to do without too much thought, after all, they didn't bother to check malloc's return now did they?

Yeah you're right about realloc. My bad. I've updated it again. Now it only returns NULL if n == capacity since there'd be no room for the NULL byte

Although this might not even be necessary since capacity is always increased if it is >= to n + 1

Also no strncpy means that string.h no longer need be included. I'll give it another look tomorrow and see if I can remove that check and that include

@crossroads1112, that bug I mentioned is still there, after you call realloc if minimal == buffer, you do not want to free buffer because they point to the same memory. Actually, now that you're using realloc only you don't want to free buffer at all, if it's pointing to the same memory you don't want to free it and if it's not then realloc freed it for you :)

Actually capacity only increases if it is > than capacity so that check is necessary. Oops Could also change it to >= I suppose but it's not necessary.

@FreeER so no calls to free() are necessary?

And if so, earlier in the function realloc is used on buffer and if it fails, buffer is freed manually. Is that necessary?

Nevermind. It's in the realloc man page. It doesn't free the pointer if it fails

Thanks for your help by the way! I didn't really know the inner workings of malloc/realloc/free (obviously) so this is really educational

@crossroads1112

was just looking over the code again 😄

GetInt 197: the INT_* comparisons should be <= and >=.

Everything else looks good to me however. And you're entirely welcome for any help I provided, I won't say that I'm an expert on any of this (I'd read about how malloc worked quite some time ago and remembered some here when it came up) but I'm comfortable with it and feel I understand it well enough to use it 😆

Is the user being able to input an empty string intended behaviour? Like, if you made sure that the GetString function ensured that it read a string of at least 1 character, then you wouldn't need the strlen() checks in the other functions.

Calling strlen() should not be necessary in any of your code. For example if (strlen(line) && is the same as if (strlen(line) != 0 &&, which is true if the first character (*line) is not 0 (alternatively written '\0').

Your usage of endptr after calling the strtoX functions isn't quite correct either. With the original sscanf format of, e.g., " %d %c", it accounts for leading and trailing whitespace, i.e., space characters before and after the integer (or float or whatever, depending on the format). strtoX functions only remove leading whitespace, not trailing whitespace, so you'd need to possibly skip more whitespace after the number to get to the '\0'.

Lastly, unless the type might be changed to a type with a greater width than char (e.g. short), it's redundant to use sizeof var. You're working with a sequence of char items, and there's no chance of the type changing from anything other than that since a string will forever be a sequence of char items (unless you decide to do something crazy like typedef int *string;). In other words, you don't need sizeof(*temp) on line 321 or sizeof(*minimal) on line 342 or anything like that because you're only working with char.