You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Neon provides functionality for creating JavaScript ArrayBuffer (and the Buffer subtype) instances backed by bytes allocated outside of V8/Node. The JsArrayBuffer::external and JsBuffer::external did not require T: 'static prior to Neon 0.10.1. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScript ArrayBuffer.
The following example demonstrates use after free. It compiles on versions <0.10.1 and fails to compile afterward.
pubfnsoundness_hole(mutcx:FunctionContext) ->JsResult<JsArrayBuffer>{letmut data = vec![0u8,1,2,3];// Creating an external from `&mut [u8]` instead of `Vec<u8>` since there is a blanket impl// of `AsMut<T> for &mut T`let buf = JsArrayBuffer::external(&mut cx, data.as_mut_slice());// `buf` is still holding a reference to `data`!drop(data);Ok(buf)}
neon
0.9.1
>=0.10.1
<0.8.0
Neon provides functionality for creating JavaScript
ArrayBuffer
(and theBuffer
subtype) instances backed by bytes allocated outside of V8/Node. TheJsArrayBuffer::external
andJsBuffer::external
did not requireT: 'static
prior to Neon0.10.1
. This allowed creating an externally backed buffer from types that may be freed while they are still referenced by a JavaScriptArrayBuffer
.The following example demonstrates use after free. It compiles on versions
<0.10.1
and fails to compile afterward.See advisory page for additional details.
The text was updated successfully, but these errors were encountered: