From 6e10b0fa8d24d7c31b3c234f75215fa68c252e02 Mon Sep 17 00:00:00 2001 From: "main()" Date: Fri, 14 Oct 2022 13:16:45 +0200 Subject: [PATCH 1/2] Fix unsound IntoIter implementation IntoIter was missing a 'borrow lifetime parameter, leading to trivial use-after-free issues (fixes #187). --- src/collections/vec.rs | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/collections/vec.rs b/src/collections/vec.rs index f08f691..5d36019 100644 --- a/src/collections/vec.rs +++ b/src/collections/vec.rs @@ -1941,7 +1941,7 @@ impl<'bump, T: 'bump> ops::DerefMut for Vec<'bump, T> { impl<'bump, T: 'bump> IntoIterator for Vec<'bump, T> { type Item = T; - type IntoIter = IntoIter; + type IntoIter = IntoIter<'bump, T>; /// Creates a consuming iterator, that is, one that moves each value out of /// the vector (from start to end). The vector cannot be used after calling @@ -1961,7 +1961,7 @@ impl<'bump, T: 'bump> IntoIterator for Vec<'bump, T> { /// } /// ``` #[inline] - fn into_iter(mut self) -> IntoIter { + fn into_iter(mut self) -> IntoIter<'bump, T> { unsafe { let begin = self.as_mut_ptr(); // assume(!begin.is_null()); @@ -2222,19 +2222,19 @@ impl<'bump, T> Drop for Vec<'bump, T> { /// (provided by the [`IntoIterator`] trait). /// /// [`IntoIterator`]: https://doc.rust-lang.org/std/iter/trait.IntoIterator.html -pub struct IntoIter { - phantom: PhantomData, +pub struct IntoIter<'bump, T> { + phantom: PhantomData<&'bump [T]>, ptr: *const T, end: *const T, } -impl fmt::Debug for IntoIter { +impl<'bump, T: fmt::Debug> fmt::Debug for IntoIter<'bump, T> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { f.debug_tuple("IntoIter").field(&self.as_slice()).finish() } } -impl<'bump, T: 'bump> IntoIter { +impl<'bump, T: 'bump> IntoIter<'bump, T> { /// Returns the remaining items of this iterator as a slice. /// /// # Examples @@ -2276,10 +2276,10 @@ impl<'bump, T: 'bump> IntoIter { } } -unsafe impl Send for IntoIter {} -unsafe impl Sync for IntoIter {} +unsafe impl<'bump, T: Send> Send for IntoIter<'bump, T> {} +unsafe impl<'bump, T: Sync> Sync for IntoIter<'bump, T> {} -impl<'bump, T: 'bump> Iterator for IntoIter { +impl<'bump, T: 'bump> Iterator for IntoIter<'bump, T> { type Item = T; #[inline] @@ -2320,7 +2320,7 @@ impl<'bump, T: 'bump> Iterator for IntoIter { } } -impl<'bump, T: 'bump> DoubleEndedIterator for IntoIter { +impl<'bump, T: 'bump> DoubleEndedIterator for IntoIter<'bump, T> { #[inline] fn next_back(&mut self) -> Option { unsafe { @@ -2341,9 +2341,9 @@ impl<'bump, T: 'bump> DoubleEndedIterator for IntoIter { } } -impl<'bump, T: 'bump> ExactSizeIterator for IntoIter {} +impl<'bump, T: 'bump> ExactSizeIterator for IntoIter<'bump, T> {} -impl<'bump, T: 'bump> FusedIterator for IntoIter {} +impl<'bump, T: 'bump> FusedIterator for IntoIter<'bump, T> {} /// A draining iterator for `Vec<'bump, T>`. /// From 8e45f75d30d8e9bd25168f055382250966c3c7e7 Mon Sep 17 00:00:00 2001 From: "main()" Date: Fri, 14 Oct 2022 13:22:38 +0200 Subject: [PATCH 2/2] Implement Drop for IntoIter Both Vec and Drain drop leftover elements when they are dropped. It would be inconsistent for IntoIter to just leak them. --- src/collections/vec.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/collections/vec.rs b/src/collections/vec.rs index 5d36019..b5a6002 100644 --- a/src/collections/vec.rs +++ b/src/collections/vec.rs @@ -2345,6 +2345,13 @@ impl<'bump, T: 'bump> ExactSizeIterator for IntoIter<'bump, T> {} impl<'bump, T: 'bump> FusedIterator for IntoIter<'bump, T> {} +impl<'bump, T> Drop for IntoIter<'bump, T> { + fn drop(&mut self) { + // drop all remaining elements + self.for_each(drop); + } +} + /// A draining iterator for `Vec<'bump, T>`. /// /// This `struct` is created by the [`Vec::drain`] method.