Skip to content

Commit

Permalink
Fix potential buffer overflow in insert_many
Browse files Browse the repository at this point in the history
Fixes servo#252.
  • Loading branch information
mbrubeck committed Jan 8, 2021
1 parent 0b2b4e5 commit 1d67c2e
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "smallvec"
version = "1.6.0"
version = "1.6.1"
edition = "2018"
authors = ["The Servo Project Developers"]
license = "MIT/Apache-2.0"
Expand Down
2 changes: 1 addition & 1 deletion src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1041,7 +1041,7 @@ impl<A: Array> SmallVec<A> {
let mut cur = ptr.add(num_added);
if num_added >= lower_size_bound {
// Iterator provided more elements than the hint. Move trailing items again.
self.reserve(1);
self.reserve(guard.len + 1);
let start = self.as_mut_ptr();
ptr = start.add(index);
cur = ptr.add(num_added);
Expand Down
15 changes: 15 additions & 0 deletions src/tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -905,3 +905,18 @@ fn empty_macro() {
fn zero_size_items() {
SmallVec::<[(); 0]>::new().push(());
}

#[test]
fn test_insert_many_overflow() {
let mut v: SmallVec<[u8; 0]> = SmallVec::new();

// Spill on heap
v.push(123);

// Prepare an iterator with small lower bound
let iter = (0u8..=255).filter(|n| n % 2 == 0);
assert_eq!(iter.size_hint().0, 0);

// Triggering the bug
v.insert_many(0, iter);
}

0 comments on commit 1d67c2e

Please sign in to comment.