diff options
| author | The 8472 <git@infinite-source.de> | 2023-01-16 21:39:36 +0100 |
|---|---|---|
| committer | The 8472 <git@infinite-source.de> | 2023-01-17 22:01:33 +0100 |
| commit | 47014b1bb968be08923a670b1ebfe4deb4256601 (patch) | |
| tree | acff87ab6d745ea43d48a0eaf2c7a907b893e185 | |
| parent | 481725984b4cd94ef5c00917b01c1771b6e5299c (diff) | |
| download | rust-47014b1bb968be08923a670b1ebfe4deb4256601.tar.gz rust-47014b1bb968be08923a670b1ebfe4deb4256601.zip | |
Don't do pointer arithmetic on pointers to deallocated memory
vec::Splice can invalidate the slice::Iter inside vec::Drain. So we replace them with dangling pointers which, unlike ones to deallocated memory, are allowed.
| -rw-r--r-- | library/alloc/src/vec/drain.rs | 6 | ||||
| -rw-r--r-- | library/alloc/src/vec/splice.rs | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/library/alloc/src/vec/drain.rs b/library/alloc/src/vec/drain.rs index 541f99bcfab..2b1a787cc54 100644 --- a/library/alloc/src/vec/drain.rs +++ b/library/alloc/src/vec/drain.rs @@ -223,9 +223,9 @@ impl<T, A: Allocator> Drop for Drain<'_, T, A> { } // as_slice() must only be called when iter.len() is > 0 because - // vec::Splice modifies vec::Drain fields and may grow the vec which would invalidate - // the iterator's internal pointers. Creating a reference to deallocated memory - // is invalid even when it is zero-length + // it also gets touched by vec::Splice which may turn it into a dangling pointer + // which would make it and the vec pointer point to different allocations which would + // lead to invalid pointer arithmetic below. let drop_ptr = iter.as_slice().as_ptr(); unsafe { diff --git a/library/alloc/src/vec/splice.rs b/library/alloc/src/vec/splice.rs index bad765c7f51..1861147fe72 100644 --- a/library/alloc/src/vec/splice.rs +++ b/library/alloc/src/vec/splice.rs @@ -54,6 +54,12 @@ impl<I: Iterator, A: Allocator> ExactSizeIterator for Splice<'_, I, A> {} impl<I: Iterator, A: Allocator> Drop for Splice<'_, I, A> { fn drop(&mut self) { self.drain.by_ref().for_each(drop); + // At this point draining is done and the only remaining tasks are splicing + // and moving things into the final place. + // Which means we can replace the slice::Iter with pointers that won't point to deallocated + // memory, so that Drain::drop is still allowed to call iter.len(), otherwise it would break + // the ptr.sub_ptr contract. + self.drain.iter = (&[]).iter(); unsafe { if self.drain.tail_len == 0 { |