Skip to content

Memory Unsafety on 16bit Platforms for Range.collect() #48006

New issue
New issue
Closed
#53755
Closed
Memory Unsafety on 16bit Platforms for Range.collect()#48006
#53755
Labels
C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.
@oberien

Description

@oberien
oberien
opened on Feb 4, 2018

TrustedLen is implemented for Range for every integer primitve T. TrustedLen requires that the upper bound of .size_hint is None if the iterator produces more than usize::MAX elements. <Range as Iterator>.size_hint uses steps_between to produce its result. The implementation of steps_between subtracts the lower from the upper value and casts it to usize. This is implemented undconditionally for u32. On 16bit platforms, the result of the subtraction of two u32 values may not fit inside usize, producing an invalid size_hint.
This means, that e.g. collecting into a Vec using its SpecExtend::spec_extend specialization for TrustedLen allows writing beyond its reserved buffer. One such example input would be (0..(usize::MAX as u32 + 1)).collect::<Vec<_>>().

Reference: #47944 (comment)
/cc @bluss

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions