-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decoder::read_non_compressed_block() is unsound #31
Comments
This code might also be affected: Line 1122 in 0f565d3
|
This was referenced Jun 20, 2019
Thank you for your detailed report. |
Shnatsel
added a commit
to Shnatsel/libflate
that referenced
this issue
Jun 24, 2019
Merged
This seems to be the only occurrence of this issue. Everywhere else |
Fixed by the linked PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following code is unsound:
libflate/src/deflate/decode.rs
Lines 86 to 91 in 0f565d3
The slice passed to
read_exact()
is uninitialized. This uses a Read implementation supplied by the API user, and there is no guarantee that it will never read from the provided buffer. If it does, it may cause a memory disclosure vulnerability.Similar bug in Rust MP4 parser for reference: mozilla/mp4parse-rust#172
The equivalent code in stdlib initializes the vector with zeroes before growing it: https://doc.rust-lang.org/src/std/io/mod.rs.html#355-391
There have been some language proposals to create a contract for never reading from the buffer in this case, but they have not been stabilized: rust-lang/rust#42788
For now replacing
unsafe { self.buffer.set_len(old_len + len as usize) };
withself.buffer.resize(old_len + len as usize, 0);
should fix it.I have not read all of the unsafe code in libflate, there may be similar issues in other unsafe blocks, which is why I'm opening an issue instead of a PR right away.
The text was updated successfully, but these errors were encountered: