-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uses of slice::from_raw_parts with input from FFI would need some manual pre-checks #143
Comments
#145 fixes the immediate issue with crc32/adler32 and I'm working on other public-facing calls to unsafe functions ( In most cases the resonsibility of satisfying the preconditions just gets passed on to the caller, but for |
On We return Of course, these changes benefit from a second pair of eyes going over the assumptions. Then there is of course also unsafe code internal to the library, but that already got tested (with miri too)/fuzzed a lot more. |
The preconditions for slice::from_raw_parts contain the following:
When the preconditions are not fulfilled, a debug build will fail with the message
and a release build may crash depending on what kind of optimizations the rust compiler allowed itself.
One way such thing can happen is when using the crc32 function like the following:
All the uses of slice::from_raw_parts should be audited as to whether the pointer/length pairs can originate from API user input in a similar way, and adjusted to make the preconditions met.
The text was updated successfully, but these errors were encountered: