fix pointer invalidation when extnding a vector from an untrusted iterator

author: Ralf Jung <post@ralfj.de> 2020-03-30 10:38:21 +0200
committer: Ralf Jung <post@ralfj.de> 2020-03-30 11:58:16 +0200
commit: 86c1c434206d5fb9b58b0847e2f4deb20340d3c5 (patch)
tree: eba8e8fb2a27cd08a1f0e51c0fc093692c4ccd36 /src/liballoc
parent: 6556549fa6d74791d1e3e155ae8a4d1480ea4481 (diff)
download: rust-86c1c434206d5fb9b58b0847e2f4deb20340d3c5.tar.gz
rust-86c1c434206d5fb9b58b0847e2f4deb20340d3c5.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/liballoc/vec.rs b/src/liballoc/vec.rs
index 361ce20376d..6f264399fa8 100644
--- a/src/liballoc/vec.rs
+++ b/src/liballoc/vec.rs
@@ -2019,6 +2019,8 @@ where
                 let (lower, _) = iterator.size_hint();
                 let mut vector = Vec::with_capacity(lower.saturating_add(1));
                 unsafe {
+                    // `vector` is new, cannot have aliases, so us getting exclusive references
+                    // here is okay.
                     ptr::write(vector.get_unchecked_mut(0), element);
                     vector.set_len(1);
                 }
@@ -2145,7 +2147,7 @@ impl<T> Vec<T> {
                 self.reserve(lower.saturating_add(1));
             }
             unsafe {
-                ptr::write(self.get_unchecked_mut(len), element);
+                ptr::write(self.as_mut_ptr().add(len), element);
                 // NB can't overflow since we would have had to alloc the address space
                 self.set_len(len + 1);
             }
author	Ralf Jung <post@ralfj.de>	2020-03-30 10:38:21 +0200
committer	Ralf Jung <post@ralfj.de>	2020-03-30 11:58:16 +0200
commit	86c1c434206d5fb9b58b0847e2f4deb20340d3c5 (patch)
tree	eba8e8fb2a27cd08a1f0e51c0fc093692c4ccd36 /src/liballoc
parent	6556549fa6d74791d1e3e155ae8a4d1480ea4481 (diff)
download	rust-86c1c434206d5fb9b58b0847e2f4deb20340d3c5.tar.gz rust-86c1c434206d5fb9b58b0847e2f4deb20340d3c5.zip