[Pre-RFC] Fixed-capacity view of Vec

scottmcm · September 20, 2018, 7:56pm

So, who else read that source code snippit carefully enough to spot the unsoundness?

github.com/rust-lang/rust

[stable] std: Check for overflow in `str::repeat`

rust-lang:stable ← alexcrichton:fix-bug-stable

opened 04:38PM - 20 Sep 18 UTC

alexcrichton

+42 -2

This commit fixes a buffer overflow issue in the standard library discovered by… Scott McMurray where if a large number was passed to `str::repeat` it may cause and out of bounds write to the buffer of a `Vec`. This bug was accidentally introduced in #48657 when optimizing the `str::repeat` function. The bug affects stable Rust releases 1.26.0 to 1.29.0. We plan on backporting this fix to create a 1.29.1 release, and the 1.30.0 release onwards will include this fix. The fix in this commit is to introduce a deterministic panic in the case of capacity overflow. When repeating a slice where the resulting length is larger than the address space, there’s no way it can succeed anyway! The standard library and surrounding libraries were briefly checked to see if there were othere instances of preallocating a vector with a calculation that may overflow. No instances of this bug (out of bounds write due to a calculation overflow) were found at this time. Note that this commit is the first steps towards fixing this issue, we'll be making a formal post to the Rust security list once these commits have been merged.

Topic		Replies	Views
Make Vec::set_len enforce the len <= cap invariant	25	2032	April 14, 2019
Uninitialized memory	57	10279	March 25, 2019
Rust needs a safe abstraction over uninitialized memory language design	80	4020	March 21, 2025
MaybeUninit: consider supporting extract the value safely	47	1300	October 13, 2024
Canvas unsafe code in the wild Unsafe Code Guidelines	25	8063	March 25, 2019

[Pre-RFC] Fixed-capacity view of Vec

Related topics