Handle excessive widths.

m-ou-se · m-ou-se · commit 23c2037ab984 · 2025-03-21T19:22:17.000+01:00
Without relying on write!() to support very large widths.
diff --git a/src/format/mod.rs b/src/format/mod.rs
@@ -303,10 +303,10 @@ impl Piece {
         if self.flags.contains(Flag::LeftPadding) {
             write!(f, "{value}")
         } else if self.padding == Padding::Spaces {
-            let width = self.width.unwrap_or(default_width);
+            let width = self.pad_width(f, b' ', default_width)?;
             write!(f, "{value: >width$}")
         } else {
-            let width = self.width.unwrap_or(default_width);
+            let width = self.pad_width(f, b'0', default_width)?;
             write!(f, "{value:0width$}")
         }
     }
@@ -321,14 +321,23 @@ impl Piece {
         if self.flags.contains(Flag::LeftPadding) {
             write!(f, "{value}")
         } else if self.padding == Padding::Zeros {
-            let width = self.width.unwrap_or(default_width);
+            let width = self.pad_width(f, b'0', default_width)?;
             write!(f, "{value:0width$}")
         } else {
-            let width = self.width.unwrap_or(default_width);
+            let width = self.pad_width(f, b' ', default_width)?;
             write!(f, "{value: >width$}")
         }
     }
 
+    // Returns the width to use for the padding.
+    //
+    // Prints any excessive (>10) padding directly.
+    fn pad_width(&self, f: &mut SizeLimiter<'_>, pad: u8, default: usize) -> Result<usize, Error> {
+        let width = self.width.unwrap_or(default);
+        f.pad(pad, width.saturating_sub(10))?;
+        Ok(width.min(10))
+    }
+
     /// Format nanoseconds with the specified precision.
     #[allow(clippy::uninlined_format_args)] // for readability and symmetry between if branches
     fn format_nanoseconds(
@@ -343,35 +352,30 @@ impl Piece {
             let value = nanoseconds / 10u32.pow(9 - width as u32);
             write!(f, "{value:0n$}", n = width)
         } else {
-            write!(f, "{nanoseconds:09}{:0n$}", 0, n = width - 9)
+            write!(f, "{nanoseconds:09}")?;
+            f.pad(b'0', width - 9)
         }
     }
 
     /// Format a string value.
     fn format_string(&self, f: &mut SizeLimiter<'_>, s: &str) -> Result<(), Error> {
-        match self.width {
-            None => write!(f, "{s}"),
-            Some(width) => {
-                if self.flags.contains(Flag::LeftPadding) {
-                    write!(f, "{s}")
-                } else if self.padding == Padding::Zeros {
-                    write!(f, "{s:0>width$}")
-                } else {
-                    write!(f, "{s: >width$}")
-                }
-            }
+        if !self.flags.contains(Flag::LeftPadding) {
+            self.write_padding(f, s.len())?;
         }
+        write!(f, "{s}")
     }
 
     /// Write padding separately.
     fn write_padding(&self, f: &mut SizeLimiter<'_>, min_width: usize) -> Result<(), Error> {
         if let Some(width) = self.width {
             let n = width.saturating_sub(min_width);
 
-            match self.padding {
-                Padding::Zeros => write!(f, "{:0>n$}", "")?,
-                _ => write!(f, "{: >n$}", "")?,
+            let pad = match self.padding {
+                Padding::Zeros => b'0',
+                _ => b' ',
             };
+
+            f.pad(pad, n)?;
         }
         Ok(())
     }
@@ -396,14 +400,24 @@ impl Piece {
         UtcOffset::new(hour, minute, second)
     }
 
-    /// Compute hour padding for the `%z` specifier.
-    fn hour_padding(&self, min_width: usize) -> usize {
-        const MIN_PADDING: usize = "+hh".len();
-
-        match self.width {
-            Some(width) => width.saturating_sub(min_width) + MIN_PADDING,
-            None => MIN_PADDING,
+    /// Print the hour with padding for the `%z` specifier.
+    fn write_offset_hour(&self, f: &mut SizeLimiter<'_>, hour: f64, w: usize) -> Result<(), Error> {
+        let mut pad = self.width.unwrap_or(0).saturating_sub(w);
+        if hour < 10.0 {
+            pad += 1;
+        }
+        if self.padding == Padding::Spaces {
+            f.pad(b' ', pad)?;
+        }
+        if hour.is_sign_negative() {
+            write!(f, "-")?;
+        } else {
+            write!(f, "+")?;
         }
+        if self.padding != Padding::Spaces {
+            f.pad(b'0', pad)?;
+        }
+        write!(f, "{:.0}", hour.abs())
     }
 
     /// Write the time zone UTC offset as `"+hh"`.
@@ -412,13 +426,7 @@ impl Piece {
         f: &mut SizeLimiter<'_>,
         utc_offset: &UtcOffset,
     ) -> Result<(), Error> {
-        let hour = utc_offset.hour;
-        let n = self.hour_padding("+hh".len());
-
-        match self.padding {
-            Padding::Spaces => write!(f, "{hour: >+n$.0}"),
-            _ => write!(f, "{hour:+0n$.0}"),
-        }
+        self.write_offset_hour(f, utc_offset.hour, "+hh".len())
     }
 
     /// Write the time zone UTC offset as `"+hhmm"`.
@@ -428,12 +436,8 @@ impl Piece {
         utc_offset: &UtcOffset,
     ) -> Result<(), Error> {
         let UtcOffset { hour, minute, .. } = utc_offset;
-        let n = self.hour_padding("+hhmm".len());
-
-        match self.padding {
-            Padding::Spaces => write!(f, "{hour: >+n$.0}{minute:02}"),
-            _ => write!(f, "{hour:+0n$.0}{minute:02}"),
-        }
+        self.write_offset_hour(f, *hour, "+hhmm".len())?;
+        write!(f, "{minute:02}")
     }
 
     /// Write the time zone UTC offset as `"+hh:mm"`.
@@ -443,12 +447,8 @@ impl Piece {
         utc_offset: &UtcOffset,
     ) -> Result<(), Error> {
         let UtcOffset { hour, minute, .. } = utc_offset;
-        let n = self.hour_padding("+hh:mm".len());
-
-        match self.padding {
-            Padding::Spaces => write!(f, "{hour: >+n$.0}:{minute:02}"),
-            _ => write!(f, "{hour:+0n$.0}:{minute:02}"),
-        }
+        self.write_offset_hour(f, *hour, "+hh:mm".len())?;
+        write!(f, ":{minute:02}")
     }
 
     /// Write the time zone UTC offset as `"+hh:mm:ss"`.
@@ -462,13 +462,8 @@ impl Piece {
             minute,
             second,
         } = utc_offset;
-
-        let n = self.hour_padding("+hh:mm:ss".len());
-
-        match self.padding {
-            Padding::Spaces => write!(f, "{hour: >+n$.0}:{minute:02}:{second:02}"),
-            _ => write!(f, "{hour:+0n$.0}:{minute:02}:{second:02}"),
-        }
+        self.write_offset_hour(f, *hour, "+hh:mm:ss".len())?;
+        write!(f, ":{minute:02}:{second:02}")
     }
 
     /// Format time using the formatting directive.
diff --git a/src/format/utils.rs b/src/format/utils.rs
@@ -81,6 +81,17 @@ impl<'a> SizeLimiter<'a> {
             count: 0,
         }
     }
+
+    pub(crate) fn pad(&mut self, c: u8, n: usize) -> Result<(), Error> {
+        if self.count + n > self.size_limit {
+            return Err(Error::FormattedStringTooLarge);
+        }
+        for _ in 0..n {
+            self.inner.write_all(&[c])?;
+        }
+        self.count += n;
+        Ok(())
+    }
 }
 
 impl Write for SizeLimiter<'_> {
diff --git a/src/tests/format.rs b/src/tests/format.rs
@@ -826,7 +826,7 @@ fn test_format_large_width() {
     check_format(&time, "%2147483648m", "%2147483648m");
 
     let err = get_format_err(&time, "%2147483647m");
-    assert!(matches!(err, Error::WriteZero));
+    assert!(matches!(err, Error::FormattedStringTooLarge));
 }
 
 #[cfg(feature = "alloc")]
diff --git a/src/tests/rust_fmt_argument_max_padding.rs b/src/tests/rust_fmt_argument_max_padding.rs
@@ -83,7 +83,7 @@ fn test_rust_136932_reduce_fmt_argument_width_and_precision_fuzzer_failures() {
 
     for (time, format) in test_cases {
         let err = get_format_err(&time, format);
-        assert!(matches!(err, Error::WriteZero));
+        assert!(matches!(err, Error::WriteZero | Error::FormattedStringTooLarge));
     }
 }
 
@@ -127,7 +127,7 @@ fn test_rust_136932_reduce_fmt_argument_width_and_precision_fuzzer_failures_byte
 
     for (time, format) in test_cases {
         let err = get_format_err_bytes(&time, format);
-        assert!(matches!(err, Error::WriteZero));
+        assert!(matches!(err, Error::WriteZero | Error::FormattedStringTooLarge));
     }
 }
 
@@ -237,7 +237,7 @@ fn test_format_specifiers_int_max_fail() {
             .fmt(&mut &mut buf[..])
             .unwrap_err();
         assert!(
-            matches!(err, Error::WriteZero),
+            matches!(err, Error::WriteZero | Error::FormattedStringTooLarge),
             "Expected write failure for specifier '{spec}' with width {width} but got unexpected error: {err:?}",
         );
     }

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,17 @@ impl<'a> SizeLimiter<'a> {`
`81`	`81`	`count: 0,`
`82`	`82`	`}`
`83`	`83`	`}`
	`84`	`+`
	`85`	`+ pub(crate) fn pad(&mut self, c: u8, n: usize) -> Result<(), Error> {`
	`86`	`+ if self.count + n > self.size_limit {`
	`87`	`+ return Err(Error::FormattedStringTooLarge);`
	`88`	`+ }`
	`89`	`+ for _ in 0..n {`
	`90`	`+ self.inner.write_all(&[c])?;`
	`91`	`+ }`
	`92`	`+ self.count += n;`
	`93`	`+ Ok(())`
	`94`	`+ }`
`84`	`95`	`}`
`85`	`96`
`86`	`97`	`impl Write for SizeLimiter<'_> {`
Original file line number	Diff line number	Diff line change
`@@ -826,7 +826,7 @@ fn test_format_large_width() {`
`826`	`826`	`check_format(&time, "%2147483648m", "%2147483648m");`
`827`	`827`
`828`	`828`	`let err = get_format_err(&time, "%2147483647m");`
`829`		`- assert!(matches!(err, Error::WriteZero));`
	`829`	`+ assert!(matches!(err, Error::FormattedStringTooLarge));`
`830`	`830`	`}`
`831`	`831`
`832`	`832`	`#[cfg(feature = "alloc")]`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ fn test_rust_136932_reduce_fmt_argument_width_and_precision_fuzzer_failures() {`
`83`	`83`
`84`	`84`	`for (time, format) in test_cases {`
`85`	`85`	`let err = get_format_err(&time, format);`
`86`		`- assert!(matches!(err, Error::WriteZero));`
	`86`	`+ assert!(matches!(err, Error::WriteZero \| Error::FormattedStringTooLarge));`
`87`	`87`	`}`
`88`	`88`	`}`
`89`	`89`
`@@ -127,7 +127,7 @@ fn test_rust_136932_reduce_fmt_argument_width_and_precision_fuzzer_failures_byte`
`127`	`127`
`128`	`128`	`for (time, format) in test_cases {`
`129`	`129`	`let err = get_format_err_bytes(&time, format);`
`130`		`- assert!(matches!(err, Error::WriteZero));`
	`130`	`+ assert!(matches!(err, Error::WriteZero \| Error::FormattedStringTooLarge));`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`
`@@ -237,7 +237,7 @@ fn test_format_specifiers_int_max_fail() {`
`237`	`237`	`.fmt(&mut &mut buf[..])`
`238`	`238`	`.unwrap_err();`
`239`	`239`	`assert!(`
`240`		`- matches!(err, Error::WriteZero),`
	`240`	`+ matches!(err, Error::WriteZero \| Error::FormattedStringTooLarge),`
`241`	`241`	`"Expected write failure for specifier '{spec}' with width {width} but got unexpected error: {err:?}",`
`242`	`242`	`);`
`243`	`243`	`}`