Merge pull request #1129 from CraftSpider/fix-bib-ub

pkgw · web-flow · commit c64e5243467f · 2023-12-06T13:40:40.000Z
[bibtex] Fix UB caused by invalidating protected reference
diff --git a/crates/engine_bibtex/src/xbuf.rs b/crates/engine_bibtex/src/xbuf.rs
@@ -45,14 +45,17 @@ pub fn xcalloc_zeroed<T: SafelyZero>(len: usize) -> Option<&'static mut [T]> {
     }
 }
 
-pub fn xrealloc_zeroed<T: SafelyZero>(
-    old: &'static mut [T],
+/// # Safety
+///
+/// The provided `old` buffer must be valid, and allocated by `xalloc`/`xcalloc`
+pub unsafe fn xrealloc_zeroed<T: SafelyZero>(
+    old: *mut [T],
     new_len: usize,
 ) -> Option<&'static mut [T]> {
-    let old_len = old.len();
+    let old_len = (*old).len();
     let new_size = new_len * mem::size_of::<T>();
     // SAFETY: realloc can be called with any size, even 0, that will just deallocate and return null
-    let ptr = unsafe { xrealloc((old as *mut [_]).cast(), new_size) }.cast::<T>();
+    let ptr = unsafe { xrealloc(old.cast(), new_size) }.cast::<T>();
     if ptr.is_null() {
         None
     } else {
@@ -63,7 +66,7 @@ pub fn xrealloc_zeroed<T: SafelyZero>(
         }
         // SAFETY: realloc guarantees `new_size` bytes valid, plus `SafelyZero` means it's sound to
         //         return a reference to all-zero T
-        Some(unsafe { slice::from_raw_parts_mut(ptr.cast(), new_len) })
+        Some(unsafe { slice::from_raw_parts_mut(ptr, new_len) })
     }
 }
 
@@ -78,7 +81,8 @@ impl<T: SafelyZero + 'static> XBuf<T> {
     pub fn grow(&mut self, grow_by: usize) {
         let slice = mem::take(&mut self.0);
         let old_len = slice.len();
-        self.0 = xrealloc_zeroed(slice, grow_by + old_len).unwrap();
+        // TODO: Just use system allocator?
+        self.0 = unsafe { xrealloc_zeroed(slice, grow_by + old_len) }.unwrap();
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -45,14 +45,17 @@ pub fn xcalloc_zeroed<T: SafelyZero>(len: usize) -> Option<&'static mut [T]> {`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
`48`		`-pub fn xrealloc_zeroed<T: SafelyZero>(`
`49`		`- old: &'static mut [T],`
	`48`	`+/// # Safety`
	`49`	`+///`
	`50`	+/// The provided `old` buffer must be valid, and allocated by `xalloc`/`xcalloc`
	`51`	`+pub unsafe fn xrealloc_zeroed<T: SafelyZero>(`
	`52`	`+ old: *mut [T],`
`50`	`53`	`new_len: usize,`
`51`	`54`	`) -> Option<&'static mut [T]> {`
`52`		`- let old_len = old.len();`
	`55`	`+ let old_len = (*old).len();`
`53`	`56`	`let new_size = new_len * mem::size_of::<T>();`
`54`	`57`	`// SAFETY: realloc can be called with any size, even 0, that will just deallocate and return null`
`55`		`- let ptr = unsafe { xrealloc((old as *mut [_]).cast(), new_size) }.cast::<T>();`
	`58`	`+ let ptr = unsafe { xrealloc(old.cast(), new_size) }.cast::<T>();`
`56`	`59`	`if ptr.is_null() {`
`57`	`60`	`None`
`58`	`61`	`} else {`
`@@ -63,7 +66,7 @@ pub fn xrealloc_zeroed<T: SafelyZero>(`
`63`	`66`	`}`
`64`	`67`	// SAFETY: realloc guarantees `new_size` bytes valid, plus `SafelyZero` means it's sound to
`65`	`68`	`// return a reference to all-zero T`
`66`		`- Some(unsafe { slice::from_raw_parts_mut(ptr.cast(), new_len) })`
	`69`	`+ Some(unsafe { slice::from_raw_parts_mut(ptr, new_len) })`
`67`	`70`	`}`
`68`	`71`	`}`
`69`	`72`
`@@ -78,7 +81,8 @@ impl<T: SafelyZero + 'static> XBuf<T> {`
`78`	`81`	`pub fn grow(&mut self, grow_by: usize) {`
`79`	`82`	`let slice = mem::take(&mut self.0);`
`80`	`83`	`let old_len = slice.len();`
`81`		`- self.0 = xrealloc_zeroed(slice, grow_by + old_len).unwrap();`
	`84`	`+ // TODO: Just use system allocator?`
	`85`	`+ self.0 = unsafe { xrealloc_zeroed(slice, grow_by + old_len) }.unwrap();`
`82`	`86`	`}`
`83`	`87`	`}`
`84`	`88`