diff options
| author | Steven Fackler <sfackler@gmail.com> | 2021-01-11 07:27:03 -0500 |
|---|---|---|
| committer | Steven Fackler <sfackler@gmail.com> | 2021-01-11 07:27:03 -0500 |
| commit | ebe402dc9e708a8ed5e5860a7b30ea7826ab52a1 (patch) | |
| tree | b559897469ab46fe4927a9706cf0c10d530ac70d | |
| parent | c97f11af7bc4a6d3578f6a953be04ab2449a5728 (diff) | |
| download | rust-ebe402dc9e708a8ed5e5860a7b30ea7826ab52a1.tar.gz rust-ebe402dc9e708a8ed5e5860a7b30ea7826ab52a1.zip | |
Fix handling of malicious Readers in read_to_end
| -rw-r--r-- | library/std/src/io/mod.rs | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs index 7ad9e446c59..0bc0e0e8e83 100644 --- a/library/std/src/io/mod.rs +++ b/library/std/src/io/mod.rs @@ -390,7 +390,14 @@ where ret = Ok(g.len - start_len); break; } - Ok(n) => g.len += n, + Ok(n) => { + // We can't let g.len overflow which would result in the vec shrinking when the function returns. In + // particular, that could break read_to_string if the shortened buffer doesn't end on a UTF-8 boundary. + // The minimal check would just be a checked_add, but this assert is a bit more precise and should be + // just about the same cost. + assert!(n <= g.buf.len() - g.len); + g.len += n; + } Err(ref e) if e.kind() == ErrorKind::Interrupted => {} Err(e) => { ret = Err(e); |