Audit and replace all ctype.h uses

Something like "char *s = ...; isdigit(s[0]);" triggers undefined
behavior, because char can be signed, and thus s[0] can be a negative
value. The is*() functions require unsigned char _or_ EOF. EOF is a
special value outside of unsigned char range, thus the argument to the
is*() functions can't be a char.

This undefined behavior can actually trigger crashes if the
implementation of these functions e.g. uses lookup tables, which are
then indexed with out-of-range values.

Replace all <ctype.h> uses with our own custom mp_is*() functions added
with misc/ctype.h. As a bonus, these functions are locale-independent.
(Although currently, we _require_ C locale for other reasons.)

audio/out/ao_alsa.c

@@ -31,7 +31,6 @@
 #include <sys/time.h>
 #include <stdlib.h>
 #include <stdarg.h>
-#include <ctype.h>
 #include <math.h>
 #include <string.h>
 

audio/out/ao_coreaudio_utils.c

@@ -30,7 +30,7 @@ char *fourcc_repr(void *talloc_ctx, uint32_t code)
 {
     // Extract FourCC letters from the uint32_t and finde out if it's a valid
     // code that is made of letters.
-    char fcc[4] = {
+    unsigned char fcc[4] = {
         (code >> 24) & 0xFF,
         (code >> 16) & 0xFF,
         (code >> 8)  & 0xFF,
@@ -39,7 +39,7 @@ char *fourcc_repr(void *talloc_ctx, uint32_t code)
 
     bool valid_fourcc = true;
     for (int i = 0; i < 4; i++)
-        if (!isprint(fcc[i]))
+        if (fcc[i] >= 32 && fcc[i] < 128)
             valid_fourcc = false;
 
     char *repr;

bstr/bstr.c

@@ -18,7 +18,6 @@
 
 #include <string.h>
 #include <assert.h>
-#include <ctype.h>
 #include <stdarg.h>
 #include <stdint.h>
 #include <stdlib.h>
@@ -28,6 +27,7 @@
 #include "talloc.h"
 
 #include "common/common.h"
+#include "misc/ctype.h"
 #include "bstr/bstr.h"
 
 int bstrcmp(struct bstr str1, struct bstr str2)
@@ -104,7 +104,7 @@ int bstr_find(struct bstr haystack, struct bstr needle)
 
 struct bstr bstr_lstrip(struct bstr str)
 {
-    while (str.len && isspace(*str.start)) {
+    while (str.len && mp_isspace(*str.start)) {
         str.start++;
         str.len--;
     }
@@ -114,7 +114,7 @@ struct bstr bstr_lstrip(struct bstr str)
 struct bstr bstr_strip(struct bstr str)
 {
     str = bstr_lstrip(str);
-    while (str.len && isspace(str.start[str.len - 1]))
+    while (str.len && mp_isspace(str.start[str.len - 1]))
         str.len--;
     return str;
 }
@@ -242,7 +242,7 @@ bool bstr_eatstart(struct bstr *s, struct bstr prefix)
 void bstr_lower(struct bstr str)
 {
     for (int i = 0; i < str.len; i++)
-        str.start[i] = tolower(str.start[i]);
+        str.start[i] = mp_tolower(str.start[i]);
 }
 
 int bstr_sscanf(struct bstr str, const char *format, ...)

demux/demux_mkv.c

@@ -23,7 +23,6 @@
 
 #include <stdlib.h>
 #include <stdio.h>
-#include <ctype.h>
 #include <inttypes.h>
 #include <stdbool.h>
 #include <assert.h>

demux/demux_subreader.c

@@ -26,7 +26,6 @@
 #include <string.h>
 #include <sys/types.h>
 #include <dirent.h>
-#include <ctype.h>
 
 #include <libavutil/common.h>
 #include <libavutil/avstring.h>

demux/mf.c

@@ -16,7 +16,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -30,6 +29,7 @@
 #include "talloc.h"
 #include "common/msg.h"
 #include "stream/stream.h"
+#include "misc/ctype.h"
 #include "options/path.h"
 
 #include "mf.h"
@@ -55,7 +55,7 @@ mf_t *open_mf_pattern(void *talloc_ctx, struct mp_log *log, char *filename)
             while (fgets(fname, 512, lst_f)) {
                 /* remove spaces from end of fname */
                 char *t = fname + strlen(fname) - 1;
-                while (t > fname && isspace((unsigned char)*t))
+                while (t > fname && mp_isspace(*t))
                     *(t--) = 0;
                 if (!mp_path_exists(fname)) {
                     mp_verbose(log, "file not found: '%s'\n", fname);

input/input.c

@@ -28,7 +28,6 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <fcntl.h>
-#include <ctype.h>
 #include <pthread.h>
 #include <assert.h>
 

misc/ctype.h

@@ -0,0 +1,19 @@
+#ifndef MP_CTYPE_H_
+#define MP_CTYPE_H_
+
+// Roughly follows C semantics, but doesn't account for EOF, allows char as
+// parameter, and is locale independent (always uses "C" locale).
+
+static inline int mp_isprint(char c) { return (unsigned char)c >= 32; }
+static inline int mp_isspace(char c) { return c == ' ' || c == '\f' || c == '\n' ||
+                                              c == '\r' || c == '\t' || c =='\v'; }
+static inline int mp_isupper(char c) { return c >= 'A' && c <= 'Z'; }
+static inline int mp_islower(char c) { return c >= 'a' && c <= 'z'; }
+static inline int mp_isdigit(char c) { return c >= '0' && c <= '9'; }
+static inline int mp_isalpha(char c) { return mp_isupper(c) || mp_islower(c); }
+static inline int mp_isalnum(char c) { return mp_isalpha(c) || mp_isdigit(c); }
+
+static inline char mp_tolower(char c) { return mp_isupper(c) ? c - 'A' + 'a' : c; }
+static inline char mp_toupper(char c) { return mp_islower(c) ? c - 'a' + 'A' : c; }
+
+#endif

options/m_option.c

@@ -29,7 +29,6 @@
 #include <limits.h>
 #include <inttypes.h>
 #include <unistd.h>
-#include <ctype.h>
 #include <assert.h>
 
 #include <libavutil/common.h>

options/parse_configfile.c

@@ -22,13 +22,13 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include <ctype.h>
 #include <assert.h>
 
 #include "osdep/io.h"
 
 #include "parse_configfile.h"
 #include "common/msg.h"
+#include "misc/ctype.h"
 #include "m_option.h"
 #include "m_config.h"
 
@@ -95,7 +95,7 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
         line_pos = 0;
 
         /* skip whitespaces */
-        while (isspace(line[line_pos]))
+        while (mp_isspace(line[line_pos]))
             ++line_pos;
 
         /* EOL / comment */
@@ -103,7 +103,7 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
             continue;
 
         /* read option. */
-        for (opt_pos = 0; isprint(line[line_pos]) &&
+        for (opt_pos = 0; mp_isprint(line[line_pos]) &&
              line[line_pos] != ' ' &&
              line[line_pos] != '#' &&
              line[line_pos] != '='; /* NOTHING */) {
@@ -133,7 +133,7 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
         }
 
         /* skip whitespaces */
-        while (isspace(line[line_pos]))
+        while (mp_isspace(line[line_pos]))
             ++line_pos;
 
         param_pos = 0;
@@ -145,7 +145,7 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
             param_set = true;
 
             /* whitespaces... */
-            while (isspace(line[line_pos]))
+            while (mp_isspace(line[line_pos]))
                 ++line_pos;
 
             /* read the parameter */
@@ -187,8 +187,8 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
                 }
             }
 
-            for (param_pos = 0; isprint(line[line_pos])
+            for (param_pos = 0; mp_isprint(line[line_pos])
-                    && !isspace(line[line_pos])
+                    && !mp_isspace(line[line_pos])
                     && line[line_pos] != '#'; /* NOTHING */) {
                 param[param_pos++] = line[line_pos++];
                 if (param_pos >= MAX_PARAM_LEN) {
@@ -202,7 +202,7 @@ int m_config_parse_config_file(m_config_t *config, const char *conffile,
 
         param_done:
 
-            while (isspace(line[line_pos]))
+            while (mp_isspace(line[line_pos]))
                 ++line_pos;
         }
         param[param_pos] = '\0';

player/configfiles.c

@@ -22,7 +22,6 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
-#include <ctype.h>
 
 #include <libavutil/md5.h>
 
@@ -34,6 +33,7 @@
 #include "common/global.h"
 #include "common/encode.h"
 #include "common/msg.h"
+#include "misc/ctype.h"
 #include "options/path.h"
 #include "options/m_config.h"
 #include "options/parse_configfile.h"
@@ -267,7 +267,7 @@ static bool needs_config_quoting(const char *s)
 {
     for (int i = 0; s && s[i]; i++) {
         unsigned char c = s[i];
-        if (!isprint(c) || isspace(c) || c == '#' || c == '\'' || c == '"')
+        if (!mp_isprint(c) || mp_isspace(c) || c == '#' || c == '\'' || c == '"')
             return true;
     }
     return false;

player/main.c

@@ -21,7 +21,6 @@
 #include <stdbool.h>
 #include <math.h>
 #include <assert.h>
-#include <ctype.h>
 #include <string.h>
 #include <pthread.h>
 

player/timeline/tl_cue.c

@@ -20,7 +20,6 @@
 #include <stdlib.h>
 #include <stdbool.h>
 #include <inttypes.h>
-#include <ctype.h>
 
 #include "talloc.h"
 

player/timeline/tl_mpv_edl.c

@@ -19,7 +19,6 @@
 #include <stdlib.h>
 #include <stdbool.h>
 #include <inttypes.h>
-#include <ctype.h>
 #include <math.h>
 
 #include "talloc.h"

stream/dvb_tune.c

@@ -25,7 +25,6 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <ctype.h>
 #include <sys/ioctl.h>
 #include <poll.h>
 #include <unistd.h>

stream/stream_dvb.c

@@ -34,7 +34,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <ctype.h>
 #include <sys/ioctl.h>
 #include <sys/time.h>
 #include <poll.h>
@@ -45,6 +44,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #include <libavutil/avstring.h>
 
 #include "osdep/io.h"
+#include "misc/ctype.h"
 
 #include "stream.h"
 #include "options/m_config.h"
@@ -177,7 +177,7 @@ static dvb_channels_list *dvb_get_channels(struct mp_log *log, char *filename, i
                 {
                         fields = sscanf(&line[k], sat_conf,
                                 &ptr->freq, &ptr->pol, &ptr->diseqc, &ptr->srate, vpid_str, apid_str);
-                        ptr->pol = toupper(ptr->pol);
+                        ptr->pol = mp_toupper(ptr->pol);
                         ptr->freq *=  1000UL;
                         ptr->srate *=  1000UL;
                         ptr->tone = -1;

stream/stream_dvd.c

@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

stream/stream_pvr.c

@@ -30,7 +30,6 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
-#include <ctype.h>
 #include <sys/time.h>
 #include <errno.h>
 #include <sys/ioctl.h>

stream/tv.c

@@ -29,7 +29,6 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
-#include <ctype.h>
 #include <sys/time.h>
 #include <assert.h>
 #include <libavutil/avstring.h>
@@ -38,6 +37,7 @@
 
 
 #include "common/msg.h"
+#include "misc/ctype.h"
 
 #include "options/m_option.h"
 #include "options/m_config.h"
@@ -628,7 +628,7 @@ static int open_tv(tvi_handle_t *tvh)
         int channel = 0;
         if (tvh->tv_param->channel)
          {
-           if (isdigit(*tvh->tv_param->channel))
+           if (mp_isdigit(*tvh->tv_param->channel))
                 /* if tvh->tv_param->channel begins with a digit interpret it as a number */
                 channel = atoi(tvh->tv_param->channel);
            else

sub/find_subfiles.c

@@ -1,16 +1,16 @@
 #include <dirent.h>
 #include <string.h>
 #include <stdlib.h>
-#include <ctype.h>
 #include <assert.h>
 
 #include "osdep/io.h"
 
+#include "common/common.h"
 #include "common/global.h"
 #include "common/msg.h"
+#include "misc/ctype.h"
 #include "options/options.h"
 #include "options/path.h"
-#include "common/common.h"
 #include "sub/find_subfiles.h"
 
 static const char *const sub_exts[] = {"utf", "utf8", "utf-8", "idx", "sub", "srt",
@@ -75,7 +75,7 @@ static struct bstr guess_lang_from_filename(struct bstr name)
 
     if (name.start[i] == ')' || name.start[i] == ']')
         i--;
-    while (i >= 0 && isalpha(name.start[i])) {
+    while (i >= 0 && mp_isalpha(name.start[i])) {
         n++;
         if (n > 3)
             return (struct bstr){NULL, 0};

sub/sd_microdvd.c

@@ -24,7 +24,6 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdbool.h>
-#include <ctype.h>
 #include <libavutil/common.h>
 
 #include "common/msg.h"

sub/sd_srt.c

@@ -24,11 +24,11 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdbool.h>
-#include <ctype.h>
-#include <libavutil/common.h>
 
+#include "common/common.h"
 #include "common/msg.h"
 #include "bstr/bstr.h"
+#include "misc/ctype.h"
 #include "sd.h"
 
 struct line {
@@ -259,7 +259,7 @@ static int read_attr(char **s, struct bstr *attr, struct bstr *val)
     attr->start = *s;
     attr->len = eq - *s;
     for (int i = 0; i < attr->len; i++)
-        if (!isalnum(attr->start[i]))
+        if (!mp_isalnum(attr->start[i]))
             return -1;
     val->start = eq + 1;
     bool quoted = val->start[0] == '"';
@@ -290,7 +290,7 @@ static void convert_subrip(struct sd *sd, const char *orig,
     while (*line && new_line.len < new_line.bufsize - 1) {
         char *orig_line = line;
 
-        for (int i = 0; i < FF_ARRAY_ELEMS(subrip_basic_tags); i++) {
+        for (int i = 0; i < MP_ARRAY_SIZE(subrip_basic_tags); i++) {
             const struct tag_conv *tag = &subrip_basic_tags[i];
             int from_len = strlen(tag->from);
             if (strncmp(line, tag->from, from_len) == 0) {
@@ -331,7 +331,7 @@ static void convert_subrip(struct sd *sd, const char *orig,
                 }
             }
         } else if (strncmp(line, "<font ", 6) == 0
-                   && sp + 1 < FF_ARRAY_ELEMS(font_stack)) {
+                   && sp + 1 < MP_ARRAY_SIZE(font_stack)) {
             /* Opening font tag */
             char *potential_font_tag_start = line;
             int len_backup = new_line.len;
@@ -360,7 +360,7 @@ static void convert_subrip(struct sd *sd, const char *orig,
                     int found = 0;
 
                     // Try to lookup the string in standard web colors
-                    for (int i = 0; i < FF_ARRAY_ELEMS(subrip_web_colors); i++) {
+                    for (int i = 0; i < MP_ARRAY_SIZE(subrip_web_colors); i++) {
                         char *color = subrip_web_colors[i].s;
                         if (bstrcasecmp(val, bstr0(color)) == 0) {
                             uint32_t xcolor = subrip_web_colors[i].v;

video/out/gl_common.c

@@ -36,7 +36,6 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
-#include <ctype.h>
 #include <stdbool.h>
 #include <math.h>
 #include <assert.h>

video/out/pnm_loader.c

@@ -33,7 +33,7 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
-#include <ctype.h>
+#include "misc/ctype.h"
 #include "pnm_loader.h"
 
 /**
@@ -48,7 +48,7 @@ static void ppm_skip(FILE *f) {
       comment = 1;
     if (c == '\n')
       comment = 0;
-  } while (c != EOF && (isspace(c) || comment));
+  } while (c != EOF && (mp_isspace(c) || comment));
   if (c != EOF)
     ungetc(c, f);
 }
@@ -77,7 +77,7 @@ uint8_t *read_pnm(FILE *f, int *width, int *height,
   if (fscanf(f, "%u", &m) != 1)
     return NULL;
   val = fgetc(f);
-  if (!isspace(val))
+  if (!mp_isspace(val))
     return NULL;
   if (w > MAXDIM || h > MAXDIM)
     return NULL;

video/out/vo_opengl_old.c

@@ -28,12 +28,12 @@
 #include <string.h>
 #include <math.h>
 #include <stdbool.h>
-#include <ctype.h>
 #include <assert.h>
 
 #include "config.h"
 #include "talloc.h"
 #include "common/msg.h"
+#include "misc/ctype.h"
 #include "options/m_option.h"
 #include "vo.h"
 #include "video/vfcap.h"
@@ -538,7 +538,7 @@ static void replace_var_str(char **text, const char *name, const char *replace)
         nextvar += namelen;
         // try not to replace prefixes of other vars (e.g. $foo vs. $foo_bar)
         char term = nextvar[0];
-        if (isalnum(term) || term == '_')
+        if (mp_isalnum(term) || term == '_')
             continue;
         int prelength = until - *text;
         int postlength = nextvar - *text;