Use core::ffi::CStr and remove strlen

tcharding · tcharding · commit 4b1e8c360903 · 2022-11-23T11:12:00.000+11:00
Currently we manually parse the C string pointer argument, the same can
be achieved by using `CStr::from_ptr` followed by a call to `to_str`.

Use the `core::ffi::CStr` type to parse C string argument and remove our
custom `strlen` function, update safety section of docs accordingly.
diff --git a/secp256k1-sys/src/lib.rs b/secp256k1-sys/src/lib.rs
@@ -38,7 +38,8 @@ pub mod types;
 #[cfg_attr(docsrs, doc(cfg(feature = "recovery")))]
 pub mod recovery;
 
-use core::{slice, ptr};
+use core::ffi::CStr;
+use core::ptr;
 use types::*;
 
 /// Flag for context to enable no precomputation
@@ -864,17 +865,17 @@ pub unsafe extern "C" fn rustsecp256k1_v0_6_1_context_destroy(ctx: *mut Context)
 ///
 /// See also secp256k1_default_error_callback_fn.
 ///
-///
 /// # Safety
 ///
-/// For safety constraints see [`std::slice::from_raw_parts`] and [`std::str::from_utf8_unchecked`].
+/// `message` must point to a valid C string (see safety constraints on [`core::ffi::CStr::from_ptr`]).
 #[no_mangle]
 #[cfg(not(rust_secp_no_symbol_renaming))]
 pub unsafe extern "C" fn rustsecp256k1_v0_6_1_default_illegal_callback_fn(message: *const c_char, _data: *mut c_void) {
-    use core::str;
-    let msg_slice = slice::from_raw_parts(message as *const u8, strlen(message));
-    let msg = str::from_utf8_unchecked(msg_slice);
-    panic!("[libsecp256k1] illegal argument. {}", msg);
+    let s = CStr::from_ptr(message);
+    match s.to_str() {
+        Ok(msg) => panic!("[libsecp256k1] illegal argument. {}", msg),
+        Err(_) => panic!("[libsecp256k1] illegal argument (msg elided due to invalid UTF-8)"),
+    }
 }
 
 /// **This function is an override for the C function, this is the an edited version of the original description:**
@@ -893,33 +894,17 @@ pub unsafe extern "C" fn rustsecp256k1_v0_6_1_default_illegal_callback_fn(messag
 ///
 /// # Safety
 ///
-/// `message` must be valid pointer and point to a valid null terminated C string. For further
-/// safety constraints see [`std::slice::from_raw_parts`] and [`std::str::from_utf8_unchecked`].
+/// `message` must point to a valid C string (see safety constraints on [`core::ffi::CStr::from_ptr`]).
 #[no_mangle]
 #[cfg(not(rust_secp_no_symbol_renaming))]
 pub unsafe extern "C" fn rustsecp256k1_v0_6_1_default_error_callback_fn(message: *const c_char, _data: *mut c_void) {
-    use core::str;
-    let msg_slice = slice::from_raw_parts(message as *const u8, strlen(message));
-    let msg = str::from_utf8_unchecked(msg_slice);
-    panic!("[libsecp256k1] internal consistency check failed {}", msg);
-}
-
-/// Returns the length of the `str_ptr` string.
-///
-/// # Safety
-///
-/// `str_ptr` must be valid pointer and point to a valid null terminated C string.
-#[cfg(not(rust_secp_no_symbol_renaming))]
-unsafe fn strlen(mut str_ptr: *const c_char) -> usize {
-    let mut ctr = 0;
-    while *str_ptr != '\0' as c_char {
-        ctr += 1;
-        str_ptr = str_ptr.offset(1);
+    let s = CStr::from_ptr(message);
+    match s.to_str() {
+        Ok(msg) => panic!("[libsecp256k1] internal consistency check failed {}", msg),
+        Err(_) => panic!("[libsecp256k1] internal consistency check failed (msg elided due to invalid UTF-8)"),
     }
-    ctr
 }
 
-
 /// A trait for producing pointers that will always be valid in C (assuming NULL pointer is a valid
 /// no-op).
 ///
@@ -1427,18 +1412,3 @@ mod fuzz_dummy {
 #[cfg(fuzzing)]
 pub use self::fuzz_dummy::*;
 
-#[cfg(test)]
-mod tests {
-    #[cfg(not(rust_secp_no_symbol_renaming))]
-    #[test]
-    fn test_strlen() {
-        use std::ffi::CString;
-        use super::strlen;
-
-        let orig = "test strlen \t \n";
-        let test = CString::new(orig).unwrap();
-
-        assert_eq!(orig.len(), unsafe {strlen(test.as_ptr())});
-    }
-}
-
