Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

panic safety issue in impl TransformContent<S, D> for [S; (2|3|4)] #47

Closed
JOE1994 opened this issue Jan 11, 2021 · 0 comments · Fixed by #48
Closed

panic safety issue in impl TransformContent<S, D> for [S; (2|3|4)] #47

JOE1994 opened this issue Jan 11, 2021 · 0 comments · Fixed by #48

Comments

@JOE1994
Copy link
Contributor

JOE1994 commented Jan 11, 2021

Hello 🦀 ,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

The issue is relevant to implementation of TransformContent<S, D> trait for [S; 2], [S; 3], and [S; 4].

basic_dsp/matrix/src/lib.rs

Lines 229 to 241 in 7375e9f

fn transform<F>(self, mut conversion: F) -> Self::Output
where
F: FnMut(S) -> D,
{
unsafe {
let result = [
conversion(ptr::read(&self[0])),
conversion(ptr::read(&self[1])),
];
mem::forget(self);
result
}
}

basic_dsp/matrix/src/lib.rs

Lines 243 to 258 in 7375e9f

fn transform_res<F>(self, mut conversion: F) -> TransRes<Self::Output>
where
F: FnMut(S) -> TransRes<D>,
{
unsafe {
let mut error = None;
let first = try_conv!(conversion(ptr::read(&self[0])), error);
let second = try_conv!(conversion(ptr::read(&self[1])), error);
mem::forget(self);
match error {
None => Ok([first, second]),
Some(err) => Err((err, [first, second])),
}
}
}

If a panic happens within conversion,
item(S) within self can be dropped twice since the ownership of the item within self is duplicated with ptr::read().

Suggested Fix

By keeping self within ManuallyDrop<_> instead of using mem::forget(),
it is possible to guard against such double drop bugs.
I will immediately submit a PR containing the suggested fix.

Thank you for checking out this issue 👍
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix panic safety issue: guard against double drop
1 participant
@JOE1994