src/file_tiff_*.c: improve Frama-C annotations

author: Christophe Grenier <[email protected]> 2024-01-01 20:06:54 +0100
committer: Christophe Grenier <[email protected]> 2024-01-01 20:06:54 +0100
commit: a6447a48e1e2c7a7c15e8bead720b3a54fc983a6 (patch)
tree: 2497aedf202b12a93797e6ec1e20e5efa42a16ce
parent: 0b684f1ece91c0398d5ef4665a6f3c42fb4af5c9 (diff)
3 files changed, 42 insertions, 25 deletions
diff --git a/src/file_tiff.h b/src/file_tiff.h
index 12df8161..6e84ca4e 100644
--- a/src/file_tiff.h
+++ b/src/file_tiff.h
@@ -91,6 +91,7 @@ unsigned int find_tag_from_tiff_header(const unsigned char *buffer, const unsign
   @ requires \valid_read(buffer+(0..tiff_size-1));
   @ requires \valid(potential_error);
   @ requires \separated(potential_error, buffer);
+  @ terminates \true;
   @ assigns *potential_error;
   @*/
 unsigned int find_tag_from_tiff_header_le(const unsigned char *buffer, const unsigned int tiff_size, const unsigned int tag, const unsigned char**potential_error);
diff --git a/src/file_tiff_be.c b/src/file_tiff_be.c
index 4e2d7fb1..76b05db5 100644
--- a/src/file_tiff_be.c
+++ b/src/file_tiff_be.c
@@ -55,6 +55,7 @@ static const char *extension_pef="pef";
 #ifndef MAIN_tiff_le
 /*@
   @ requires \valid_read(buffer+(0..tiff_size-1));
+  @ terminates \true;
   @ ensures \result <= 0xffff;
   @ assigns \nothing;
   @ */
@@ -79,6 +80,7 @@ static unsigned int get_nbr_fields_be(const unsigned char *buffer, const unsigne
   @ requires \valid_read(buffer+(0..tiff_size-1));
   @ requires \valid(potential_error);
   @ requires \separated(potential_error, buffer+(..));
+  @ terminates \true;
   @ assigns *potential_error;
   @
  */
@@ -191,7 +193,36 @@ unsigned int find_tag_from_tiff_header_be(const unsigned char *buffer, const uns
   return 0;
 }
 
-#if !defined(MAIN_tiff_le) && !defined(MAIN_jpg)
+#if !defined(MAIN_tiff_le) && !defined(MAIN_jpg) && !defined(SINGLE_FORMAT_jpg)
+/*@
+  @ requires nbr <= 2048;
+  @ requires \valid_read(offsetp + (0 .. nbr-1));
+  @ requires \valid_read(sizep + (0 .. nbr-1));
+  @ requires \initialized(offsetp + (0 .. nbr-1));
+  @ requires \initialized(sizep + (0 .. nbr-1));
+  @ terminates \true;
+  @ assigns \nothing;
+  @*/
+static uint64_t parse_strip_be_aux(const uint32_t *offsetp, const uint32_t *sizep, const unsigned int nbr)
+{
+  unsigned int i;
+  uint64_t max_offset=0;
+  /*@
+    @ loop invariant \valid_read(offsetp + (0 .. nbr-1));
+    @ loop invariant \valid_read(sizep + (0 .. nbr-1));
+    @ loop assigns i, max_offset;
+    @ loop variant nbr - i;
+    @*/
+  for(i=0; i<nbr; i++)
+  {
+    /*@ assert 0 <= i < nbr; */
+    const uint64_t tmp=(uint64_t)be32(offsetp[i]) + be32(sizep[i]);
+    if(max_offset < tmp)
+      max_offset=tmp;
+  }
+  return max_offset;
+}
+
 /*@
   @ requires \valid(handle);
   @ requires \valid_read(entry_strip_offsets);
@@ -206,10 +237,8 @@ static uint64_t parse_strip_be(FILE *handle, const TIFFDirEntry *entry_strip_off
       be32(entry_strip_offsets->tdir_count):
       2048);
   /*@ assert nbr <= 2048; */
-  unsigned int i;
   char offsetp_buf[2048*sizeof(uint32_t)];
   char sizep_buf[2048*sizeof(uint32_t)];
-  uint64_t max_offset=0;
   /* be32() isn't required to compare the 2 values */
   if(entry_strip_offsets->tdir_count != entry_strip_bytecounts->tdir_count)
     return TIFF_ERROR;
@@ -235,25 +264,7 @@ static uint64_t parse_strip_be(FILE *handle, const TIFFDirEntry *entry_strip_off
 #endif
   /*@ assert \initialized(offsetp_buf + (0 .. nbr*sizeof(uint32_t)-1)); */
   /*@ assert \initialized(sizep_buf + (0 .. nbr*sizeof(uint32_t)-1)); */
-  {
-    const uint32_t *offsetp=(const uint32_t *)&offsetp_buf;
-    const uint32_t *sizep=(const uint32_t *)&sizep_buf;
-    /*@ assert \initialized(offsetp + (0 .. nbr-1)); */
-    /*@ assert \initialized(sizep + (0 .. nbr-1)); */
-    /*@
-      @ loop invariant \valid_read(offsetp + (0 .. nbr-1));
-      @ loop invariant \valid_read(sizep + (0 .. nbr-1));
-      @ loop assigns i, max_offset;
-      @*/
-    for(i=0; i<nbr; i++)
-    {
-      /*@ assert 0 <= i < nbr; */
-      const uint64_t tmp=(uint64_t)be32(offsetp[i]) + be32(sizep[i]);
-      if(max_offset < tmp)
-	max_offset=tmp;
-    }
-  }
-  return max_offset;
+  return parse_strip_be_aux((const uint32_t *)&offsetp_buf, (const uint32_t *)&sizep_buf, nbr);
 }
 
 /*@
@@ -279,7 +290,7 @@ static unsigned int tiff_be_read(const void *val, const unsigned int type)
       {
         const uint16_t *ptr=(const uint16_t *)val;
         /*@ assert \valid_read(ptr); */
-	const uint32_t val=*ptr;
+	const uint16_t val=*ptr;
         return be16(val);
       }
     case 4:
@@ -513,7 +524,6 @@ static uint64_t file_check_tiff_be_aux(file_recovery_t *fr, const uint32_t tiff_
   /*@ assert sizeof(TIFFDirEntry)==12; */
   /*X
     X loop invariant 0 <= i <=n && i <= (data_read-2)/12;
-    X loop variant n-i;
     X*/
   /*@
     @ loop invariant valid_file_recovery(fr);
@@ -536,6 +546,7 @@ static uint64_t file_check_tiff_be_aux(file_recovery_t *fr, const uint32_t tiff_
     @ loop assigns entry_strip_bytecounts;
     @ loop assigns entry_tile_offsets;
     @ loop assigns entry_tile_bytecounts;
+    @ loop variant n-i;
     @*/
   for(i=0; i < n && i < (unsigned int)(data_read-2)/12; i++)
   {
diff --git a/src/file_tiff_le.c b/src/file_tiff_le.c
index f2def2da..2fb52dfe 100644
--- a/src/file_tiff_le.c
+++ b/src/file_tiff_le.c
@@ -59,6 +59,7 @@ static const char *extension_sr2="sr2";
 #ifndef MAIN_tiff_be
 /*@
   @ requires \valid_read(buffer+(0..tiff_size-1));
+  @ terminates \true;
   @ ensures \result <= 0xffff;
   @ assigns \nothing;
   @ */
@@ -83,6 +84,7 @@ static unsigned int get_nbr_fields_le(const unsigned char *buffer, const unsigne
   @ requires \valid_read(buffer+(0..tiff_size-1));
   @ requires \valid(potential_error);
   @ requires \separated(potential_error, buffer+(..));
+  @ terminates \true;
   @ assigns *potential_error;
   @
  */
@@ -202,6 +204,7 @@ unsigned int find_tag_from_tiff_header_le(const unsigned char *buffer, const uns
   @ requires \valid_read(sizep + (0 .. nbr-1));
   @ requires \initialized(offsetp + (0 .. nbr-1));
   @ requires \initialized(sizep + (0 .. nbr-1));
+  @ terminates \true;
   @ assigns \nothing;
   @*/
 static uint64_t parse_strip_le_aux(const uint32_t *offsetp, const uint32_t *sizep, const unsigned int nbr)
@@ -212,6 +215,7 @@ static uint64_t parse_strip_le_aux(const uint32_t *offsetp, const uint32_t *size
     @ loop invariant \valid_read(offsetp + (0 .. nbr-1));
     @ loop invariant \valid_read(sizep + (0 .. nbr-1));
     @ loop assigns i, max_offset;
+    @ loop variant nbr - i;
     @*/
   for(i=0; i<nbr; i++)
   {
@@ -522,7 +526,6 @@ static uint64_t file_check_tiff_le_aux(file_recovery_t *fr, const uint32_t tiff_
   /*@ assert sizeof(TIFFDirEntry)==12; */
   /*X
     X loop invariant 0 <= i <=n && i <= (data_read-2)/12;
-    X loop variant n-i;
     X*/
   /*@
     @ loop invariant valid_file_recovery(fr);
@@ -545,6 +548,7 @@ static uint64_t file_check_tiff_le_aux(file_recovery_t *fr, const uint32_t tiff_
     @ loop assigns entry_strip_bytecounts;
     @ loop assigns entry_tile_offsets;
     @ loop assigns entry_tile_bytecounts;
+    @ loop variant n-i;
     @*/
   for(i=0; i < n && i < (unsigned int)(data_read-2)/12; i++)
   {
@@ -693,6 +697,7 @@ static uint64_t file_check_tiff_le_aux(file_recovery_t *fr, const uint32_t tiff_
 	      @ loop assigns *fr->handle, errno;
 	      @ loop assigns Frama_C_entropy_source;
 	      @ loop assigns j, max_offset;
+	      @ loop variant nbr - j;
 	      @*/
 	    for(j=0; j<nbr; j++)
 	    {
author	Christophe Grenier <[email protected]>	2024-01-01 20:06:54 +0100
committer	Christophe Grenier <[email protected]>	2024-01-01 20:06:54 +0100
commit	a6447a48e1e2c7a7c15e8bead720b3a54fc983a6 (patch)
tree	2497aedf202b12a93797e6ec1e20e5efa42a16ce
parent	0b684f1ece91c0398d5ef4665a6f3c42fb4af5c9 (diff)