Closed
Description
std::vec does not check for overflow properly, and it should be possible to crash Rust where uint overflow can be triggered in reserve logic (at least in 32-bit Rust).
.reserve(n)must allocatenelements, orfail!()(or controlled OOM abort in the runtime/allocator); I think this is ok today..reserve_at_least(n)must allocate at leastnelements orfail!(). This is buggy today since sufficiently largenwill round "up" to0.- Must check for overflow when computing new input to
.reserveor.reverse_at_least - Instances where we have possibility of overflow, then call to reserve method, then follows unsafe code assuming successful allocation:
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/vec.rs#L1349
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/vec.rs#L1358
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/vec.rs#L1403
- Knock-off instances of the same problem in
str- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L156
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L186
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L1021
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L2127
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L2145
- https://github.com/mozilla/rust/blob/2690b513506dad53d0b86b20f8b73bc420dfb3a2/src/libstd/str.rs#L2162
verdict: if you unsafe {}, check for overflow.
Metadata
Metadata
Assignees
Labels
No labels