summary refs log tree commit diff
path: root/src/libstd
diff options
context:
space:
mode:
authorAlex Crichton <alex@alexcrichton.com>2018-09-20 09:31:14 -0700
committerAlex Crichton <alex@alexcrichton.com>2018-09-20 09:37:08 -0700
commit1b94b84ad0143ea2039610e3aec9e929a8a20733 (patch)
tree4e3c1ca49a7ef3b4c792bef589bfd6eff5aada78 /src/libstd
parentaa3ca1994904f2e056679fce1f185db8c7ed2703 (diff)
downloadrust-1b94b84ad0143ea2039610e3aec9e929a8a20733.tar.gz
rust-1b94b84ad0143ea2039610e3aec9e929a8a20733.zip
std: Check for overflow in `str::repeat`
This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
`str::repeat` it may cause and out of bounds write to the buffer of a `Vec`.
This bug was accidentally introduced in #48657 when optimizing the
`str::repeat` function. The bug affects stable Rust releases 1.26.0 to
1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.

The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!

The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.

Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.
Diffstat (limited to 'src/libstd')
0 files changed, 0 insertions, 0 deletions