Skip to content

Side effect handling in specialized zip implementation causes buffer overflow #82282

New issue
New issue
Closed
#82289
Closed
Side effect handling in specialized zip implementation causes buffer overflow#82282
#82289
Labels
C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-criticalCritical priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.
@Qwaz

Description

@Qwaz
Qwaz
opened on Feb 19, 2021

rust/library/core/src/iter/adapters/zip.rs

Lines 200 to 208 in 0148b97

} else if A::may_have_side_effect() && self.index < self.a.size() {
let i = self.index;
self.index += 1;
// match the base implementation's potential side effects
// SAFETY: we just checked that `i` < `self.a.len()`
unsafe {
self.a.__iterator_get_unchecked(i);
}
None

rust/library/core/src/iter/adapters/zip.rs

Lines 214 to 218 in 0148b97

#[inline]
fn size_hint(&self) -> (usize, Option<usize>) {
let len = self.len - self.index;
(len, Some(len))
}

self.index can be set to a value greater than self.len in this branch. This causes integer overflow in size_hint() and lead to a buffer overflow.

Playground Link that demonstrates segfault with safe Rust code.

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-criticalCritical priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions