Add verification of the range of integer values for TLVReader -- 2nd attempt

[bitkis]

Problem

Currently, TVLReader's method Get does not validate sizes of requested integers. In case when the size is less than size of TVL field, incorrect value is returned to caller; no error condition is indicated.

Summary of Changes

Size validation is added, error conditions are handled properly.

Fixes #5152
[see https://github.com/CHIP-Specifications/connectedhomeip-spec/issues/2115 and https://github.com//pull/5286 discussions]

[github-actions]

Size increase report for "esp32-example-build" from f3ec8e6

File	Section	File	VM
chip-all-clusters-app.elf	.flash.text	72	72

Full report output

BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-all-clusters-app.elf and ./pull_artifact/chip-all-clusters-app.elf:

sections,vmsize,filesize
.debug_info,0,3391
.debug_str,0,1701
.debug_line,0,949
.debug_loc,0,945
.debug_ranges,0,248
.flash.text,72,72
.debug_abbrev,0,40
.debug_frame,0,24
.debug_aranges,0,8
.strtab,0,1
.shstrtab,0,-1
.xt.prop._ZN4chip8Encoding22PacketBufferWriterBaseINS0_12LittleEndian12BufferWriterEEC2EONS_6System18PacketBufferHandleEj,0,-2

Comparing ./master_artifact/chip-pigweed-app.elf and ./pull_artifact/chip-pigweed-app.elf:

sections,vmsize,filesize

[github-actions]

Size increase report for "nrfconnect-example-build" from f3ec8e6

File	Section	File	VM
chip-lighting.elf	text	60	60
chip-lighting.elf	device_handles	4	4
chip-lock.elf	text	60	60
chip-lock.elf	device_handles	4	4

Full report output

BLOAT REPORT

Files found only in the build output:
    report.csv

Comparing ./master_artifact/chip-lighting.elf and ./pull_artifact/chip-lighting.elf:

sections,vmsize,filesize
.debug_info,0,3375
.debug_str,0,1701
.debug_loc,0,939
.debug_line,0,397
.debug_ranges,0,176
.debug_frame,0,84
text,60,60
.debug_aranges,0,8
device_handles,4,4
.strtab,0,1
.shstrtab,0,-1

Comparing ./master_artifact/chip-shell.elf and ./pull_artifact/chip-shell.elf:

sections,vmsize,filesize
.debug_loc,0,-16

Comparing ./master_artifact/chip-lock.elf and ./pull_artifact/chip-lock.elf:

sections,vmsize,filesize
.debug_info,0,3375
.debug_str,0,1701
.debug_loc,0,927
.debug_line,0,401
.debug_ranges,0,176
.debug_frame,0,84
text,60,60
.debug_aranges,0,8
device_handles,4,4
.strtab,0,1
.shstrtab,0,-1

[Damian-Nordic]

nit: wouldn't having two methods for signed and unsigned types, returning int64_t and uint64_t, respectively, result in a simpler code?

[bzbarsky-apple]

These need to be documented.

[bzbarsky-apple]

Suggested change

	v = CastToSigned(static_cast<uint8_t>(v64));
	v = static_cast<int8_t>(CastToSigned(v64));

is clearer. But even clearer would be to have an overload of _Get that takes int64_t and checks for the SignedInteger() type before returning success. Then here we could just CanCastTo and return with a cast...

Similar comments for all the signed types.

[bzbarsky-apple]

This comment is still unaddressed.

[bzbarsky-apple]

Should probably check that INT8_MAX can't be read as uint8_t (below), since that one would actually be in range.

[bzbarsky-apple]

Should probably check that can't read as uint64_t, and same for all the signed max values.

[bzbarsky-apple]

I believe that cast is undefined behavior... Should use 0 instead of INT16_MIN there, perhaps? Similar for the other to-signed narrowing casts.

[bzbarsky-apple]

Why all the changes away from using TestGet?

[bitkis]

All Test*() inline functions in this file have the same issue: they are functions, and, therefore, the assertion macros in those functions get expended before the functions are called/inlined. As the result, shown locations of assertion failures have nothing to do with the locations of actual problems.

The reason I have not completely removed TestGet was that for some reason TEST_GET macro had a problem with float/double types -- still need to figure out what is wrong.

[bzbarsky-apple]

As the result, shown locations of assertion failures have nothing to do with the locations of actual problems.

Ah, right. Would have been handy to put that in the commit message. ;)

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[woody-apple]

@bitkis Any update on the PR feedback?

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[woody-apple]

Per the updated template, can you update the PR here?

#### Problem
What is being fixed?  Examples:
* Fix crash on startup
* Fixes #12345 12345 Frobnozzle is leaky (exactly like that, so GitHub will auto-close the issue).

#### Change overview
What's in this PR

#### Testing
How was this tested? (at least one bullet point required)
    • If unit tests were added, how do they cover this issue?
    • If unit tests existed, how were they fixed/modified to prevent this in future?
    • If integration tests were added, how do they verify this change?
    • If manually tested, what platforms controller and device platforms were manually tested, and how?
    • If no testing is required, why not?

[bzbarsky-apple]

Still need to address issues raised in #5764 (review)

[bzbarsky-apple]

These still need to be documented.

[bzbarsky-apple]

This comment is still unaddressed.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This stale pull request has been automatically closed. Thank you for your contributions.