-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Overflows can unsoundly taint length state in AlignedVec
#1356
Comments
Expanding on the memory safety issue by stepping through the test: After resizing assert_eq!(v.inner.len(), 1); The allocation consequently has a size of 8 bytes. The method nevertheless continues and the initialization loop offsets the base pointer of the allocation way past those 8 bytes and writes the requested number into each memory. This is already UB. Note that the later access in
|
One possible "quick fix" is the classic |
AlignedVec
Relates to:
rav1d/src/align.rs
Lines 185 to 191 in 7d72409
The following test must fail as it demonstrates memory unsafety, accessing an array way beyond its possible bounds.
The problem occurs in release mode, where no overflow checks are enabled. Code must not depend on overflow for correctness. The Safety comment is just incorrect:
This is untrue. If the calculation for
new_bytes
overflows, the allocation which actually occurs is much smaller. The fix should be quite small, enforce a limit to the newly requested length such that it never overflows. The case of a zero-sizedT
can be ignored, this will never allocate at all.I'm intending to create a PR soonish.
The text was updated successfully, but these errors were encountered: