micropdf 0.15.15

A pure Rust PDF library - A pure Rust PDF library with fz_/pdf_ API compatibility
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380

//! FFI Safety Utilities
//!
//! This module provides safety-documented helper functions for common FFI patterns.
//! All functions include explicit SAFETY documentation for each unsafe operation.

// Allow macros to expand metavariables in unsafe blocks - this is intentional
// as these macros are designed to wrap unsafe FFI patterns with documented safety.
#![allow(clippy::macro_metavars_in_unsafe)]

use std::ffi::{CStr, CString};
use std::os::raw::c_char;

// ============================================================================
// C String Conversions
// ============================================================================

/// Convert a C string pointer to a Rust `&str`.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to a null-terminated C string
/// - The string must be valid UTF-8
/// - The memory must remain valid for the lifetime of the returned `&str`
/// - The memory must not be modified while the `&str` is in use
///
/// Returns empty string if ptr is null or conversion fails.
#[inline]
pub fn cstr_to_str(ptr: *const c_char) -> &'static str {
    if ptr.is_null() {
        return "";
    }
    // SAFETY: Caller guarantees ptr is valid null-terminated UTF-8 string.
    // The 'static lifetime is safe because we only return borrowed data
    // that should remain valid for the duration of the FFI call.
    unsafe { CStr::from_ptr(ptr) }.to_str().unwrap_or("")
}

/// Convert a C string pointer to an owned Rust `String`.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to a null-terminated C string
/// - The string must be valid UTF-8
///
/// Returns empty string if ptr is null or conversion fails.
#[inline]
pub fn cstr_to_string(ptr: *const c_char) -> String {
    if ptr.is_null() {
        return String::new();
    }
    // SAFETY: Caller guarantees ptr is valid null-terminated UTF-8 string.
    unsafe { CStr::from_ptr(ptr) }
        .to_str()
        .map(|s| s.to_string())
        .unwrap_or_default()
}

/// Convert a C string pointer to `Option<&str>`.
///
/// # Safety Requirements (Caller's Contract)
/// - If not null, `ptr` must be a valid pointer to a null-terminated C string
/// - The string must be valid UTF-8 if not null
///
/// Returns None if ptr is null, Some("") if UTF-8 conversion fails.
#[inline]
pub fn cstr_to_option_str(ptr: *const c_char) -> Option<&'static str> {
    if ptr.is_null() {
        return None;
    }
    // SAFETY: Caller guarantees ptr is valid null-terminated string if not null.
    Some(unsafe { CStr::from_ptr(ptr) }.to_str().unwrap_or(""))
}

/// Create a CString from a Rust string, returning null pointer on failure.
#[inline]
pub fn str_to_cstring(s: &str) -> Option<CString> {
    CString::new(s).ok()
}

// ============================================================================
// Raw Slice Conversions
// ============================================================================

/// Create a byte slice from a raw pointer and length.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to at least `len` bytes of memory
/// - The memory must be properly aligned for `u8` (always satisfied)
/// - The memory must remain valid for the lifetime of the returned slice
/// - The memory must not be modified while the slice is in use
///
/// Returns empty slice if ptr is null or len is 0.
#[inline]
pub fn raw_to_slice<'a>(ptr: *const u8, len: usize) -> &'a [u8] {
    if ptr.is_null() || len == 0 {
        return &[];
    }
    // SAFETY: Caller guarantees ptr points to len valid bytes.
    unsafe { std::slice::from_raw_parts(ptr, len) }
}

/// Create a mutable byte slice from a raw pointer and length.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to at least `len` bytes of memory
/// - The memory must be properly aligned for `u8` (always satisfied)
/// - The pointer must be valid for writes
/// - No other references to this memory may exist
///
/// Returns empty slice if ptr is null or len is 0.
#[inline]
pub fn raw_to_slice_mut<'a>(ptr: *mut u8, len: usize) -> &'a mut [u8] {
    if ptr.is_null() || len == 0 {
        return &mut [];
    }
    // SAFETY: Caller guarantees ptr is valid for len bytes and exclusive access.
    unsafe { std::slice::from_raw_parts_mut(ptr, len) }
}

/// Create a slice of f32 from a raw pointer and count.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to at least `count` f32 values
/// - The memory must be properly aligned for `f32`
/// - The memory must remain valid for the lifetime of the returned slice
///
/// Returns empty slice if ptr is null or count is 0.
#[inline]
pub fn raw_to_f32_slice<'a>(ptr: *const f32, count: usize) -> &'a [f32] {
    if ptr.is_null() || count == 0 {
        return &[];
    }
    // SAFETY: Caller guarantees ptr points to count valid f32 values with proper alignment.
    unsafe { std::slice::from_raw_parts(ptr, count) }
}

/// Create a Vec from raw pointer and length (copies data).
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid pointer to at least `len` bytes
/// - The memory must remain valid during the copy
///
/// Returns empty Vec if ptr is null or len is 0.
#[inline]
pub fn raw_to_vec(ptr: *const u8, len: usize) -> Vec<u8> {
    if ptr.is_null() || len == 0 {
        return Vec::new();
    }
    // SAFETY: Caller guarantees ptr points to len valid bytes.
    unsafe { std::slice::from_raw_parts(ptr, len) }.to_vec()
}

/// Create a `Vec<f32>` from raw pointer and count (copies data).
#[inline]
pub fn raw_to_f32_vec(ptr: *const f32, count: usize) -> Vec<f32> {
    if ptr.is_null() || count == 0 {
        return Vec::new();
    }
    // SAFETY: Caller guarantees ptr points to count valid f32 values.
    unsafe { std::slice::from_raw_parts(ptr, count) }.to_vec()
}

// ============================================================================
// Output Pointer Writes
// ============================================================================

/// Write a value through an output pointer.
///
/// # Safety Requirements (Caller's Contract)
/// - `ptr` must be a valid, properly aligned pointer for type `T`
/// - `ptr` must be valid for writes
/// - No other references to this memory location may exist
///
/// Does nothing if ptr is null.
#[inline]
pub fn write_out<T>(ptr: *mut T, value: T) {
    if ptr.is_null() {
        return;
    }
    // SAFETY: Caller guarantees ptr is valid for writes and properly aligned.
    unsafe { *ptr = value };
}

/// Write a value through an output pointer, returning whether write occurred.
#[inline]
pub fn try_write_out<T>(ptr: *mut T, value: T) -> bool {
    if ptr.is_null() {
        return false;
    }
    // SAFETY: Caller guarantees ptr is valid for writes and properly aligned.
    unsafe { *ptr = value };
    true
}

/// Write to output pointer, copying bytes.
///
/// # Safety Requirements (Caller's Contract)
/// - `dst` must be a valid pointer to at least `len` bytes
/// - `dst` must be valid for writes
/// - Memory regions must not overlap (use copy if they might)
#[inline]
pub fn write_bytes(dst: *mut u8, src: &[u8]) {
    if dst.is_null() || src.is_empty() {
        return;
    }
    // SAFETY: Caller guarantees dst is valid for src.len() bytes.
    unsafe {
        std::ptr::copy_nonoverlapping(src.as_ptr(), dst, src.len());
    }
}

// ============================================================================
// Handle Validation
// ============================================================================

/// Check if a handle is valid (non-zero).
#[inline]
pub const fn is_valid_handle(handle: u64) -> bool {
    handle != 0
}

/// Convert handle to usize for indexing (with validation).
#[inline]
pub fn handle_to_index(handle: u64) -> Option<usize> {
    if handle == 0 {
        None
    } else {
        Some(handle as usize)
    }
}

// ============================================================================
// Macros for Common Patterns
// ============================================================================

/// Macro for safely converting a C string pointer with SAFETY comment.
///
/// Usage: `cstr_safe!(ptr)` expands to the unsafe block with SAFETY comment.
#[macro_export]
macro_rules! cstr_safe {
    ($ptr:expr) => {{
        if $ptr.is_null() {
            ""
        } else {
            // SAFETY: Caller guarantees ptr is valid null-terminated UTF-8 string.
            unsafe { std::ffi::CStr::from_ptr($ptr) }
                .to_str()
                .unwrap_or("")
        }
    }};
}

/// Macro for safely creating a slice from raw parts with SAFETY comment.
///
/// Usage: `slice_safe!(ptr, len)` expands to the unsafe block with SAFETY comment.
#[macro_export]
macro_rules! slice_safe {
    ($ptr:expr, $len:expr) => {{
        if $ptr.is_null() || $len == 0 {
            &[]
        } else {
            // SAFETY: Caller guarantees ptr points to len valid elements.
            unsafe { std::slice::from_raw_parts($ptr, $len as usize) }
        }
    }};
}

/// Macro for safely writing to an output pointer with SAFETY comment.
///
/// Usage: `write_safe!(ptr, value)` expands to the unsafe block with SAFETY comment.
#[macro_export]
macro_rules! write_safe {
    ($ptr:expr, $value:expr) => {{
        if !$ptr.is_null() {
            // SAFETY: Caller guarantees ptr is valid for writes and properly aligned.
            unsafe { *$ptr = $value };
        }
    }};
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::ffi::CString;

    #[test]
    fn test_cstr_to_str_null() {
        assert_eq!(cstr_to_str(std::ptr::null()), "");
    }

    #[test]
    fn test_cstr_to_str_valid() {
        let s = CString::new("hello").unwrap();
        assert_eq!(cstr_to_str(s.as_ptr()), "hello");
    }

    #[test]
    fn test_cstr_to_string_null() {
        assert_eq!(cstr_to_string(std::ptr::null()), "");
    }

    #[test]
    fn test_raw_to_slice_null() {
        let slice: &[u8] = raw_to_slice(std::ptr::null(), 10);
        assert!(slice.is_empty());
    }

    #[test]
    fn test_raw_to_slice_valid() {
        let data = [1u8, 2, 3, 4, 5];
        let slice = raw_to_slice(data.as_ptr(), data.len());
        assert_eq!(slice, &data);
    }

    #[test]
    fn test_raw_to_vec_null() {
        let vec = raw_to_vec(std::ptr::null(), 10);
        assert!(vec.is_empty());
    }

    #[test]
    fn test_write_out_null() {
        write_out(std::ptr::null_mut::<i32>(), 42);
        // Should not crash
    }

    #[test]
    fn test_write_out_valid() {
        let mut value = 0i32;
        write_out(&mut value as *mut i32, 42);
        assert_eq!(value, 42);
    }

    #[test]
    fn test_is_valid_handle() {
        assert!(!is_valid_handle(0));
        assert!(is_valid_handle(1));
        assert!(is_valid_handle(u64::MAX));
    }

    // Tests for macros use the helper functions instead to avoid
    // useless_ptr_null_checks warnings since the macros are thin
    // wrappers around these functions.

    #[test]
    fn test_cstr_safe_macro_via_function() {
        // Test null pointer case via function
        assert_eq!(cstr_to_str(std::ptr::null::<i8>()), "");

        // Test valid pointer case via function
        let s = CString::new("test").unwrap();
        assert_eq!(cstr_to_str(s.as_ptr()), "test");
    }

    #[test]
    fn test_slice_safe_macro_via_function() {
        // Test null pointer case via function
        let slice: &[u8] = raw_to_slice(std::ptr::null(), 3);
        assert!(slice.is_empty());

        // Test valid pointer case via function
        let data = [1u8, 2, 3];
        let slice = raw_to_slice(data.as_ptr(), 3);
        assert_eq!(slice, &data);

        // Test with zero length via function
        let empty_slice: &[u8] = raw_to_slice(data.as_ptr(), 0);
        assert!(empty_slice.is_empty());
    }

    #[test]
    fn test_write_safe_macro_via_function() {
        // Test null pointer case via function
        write_out(std::ptr::null_mut::<i32>(), 99);
        // Should not crash

        // Test valid pointer case via function
        let mut value = 0i32;
        write_out(&mut value as *mut i32, 99);
        assert_eq!(value, 99);
    }
}