-
Notifications
You must be signed in to change notification settings - Fork 5
/
0017-array-queue.rs
69 lines (61 loc) · 2.01 KB
/
0017-array-queue.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/*!
```rudra-poc
[target]
crate = "array-queue"
version = "0.3.3"
[report]
issue_url = "https://github.com/raviqqe/array-queue/issues/2"
issue_date = 2020-09-26
rustsec_url = "https://github.com/RustSec/advisory-db/pull/396"
rustsec_id = "RUSTSEC-2020-0047"
[[bugs]]
analyzer = "Manual"
guide = "UnsafeDestructor"
bug_class = "Other"
bug_count = 2
rudra_report_locations = []
```
!*/
#![forbid(unsafe_code)]
use array_queue::ArrayQueue;
fn main() {
{
// 1. Allows reading of uninitialized memory.
//
// A queue of size 3 is setup like this:
// [x, x, x] length = 0
// ^ start
// where x is uninitialized memory.
//
// push_back(a); push_back(b); push_back(c)
// [a, b, c] length = 3
// ^ start
//
// pop_front(); pop_back():
// [x, b, x] length = 1
// ^ start
//
// At this point when performing a pop_back, the queue should use the
// `ArrayQueue::index` method to index into the array properly but
// instead simply uses `self.length - 1` causing it to read the first
// x.
// https://github.com/raviqqe/array-queue/blob/32fa10f8f15140fb64a4cf36a2a834f876c91056/src/array_queue.rs#L98
let mut a: [u64; 32] = [0x41; 32];
let mut x: ArrayQueue<[[u64; 32]; 3]> = ArrayQueue::new();
x.push_back(&&a);
x.push_back(&&a);
x.push_back(&&a);
x.pop_front().unwrap();
x.pop_back().unwrap();
let popped = x.pop_back().unwrap();
println!("Contents of array: {:?}", popped);
assert_eq!(popped[0], 0x41);
}
{
// 2. Initializes memory with mem::uninitialized, this is instantly
// UB for types that cannot inhabit uninitialized. Should be
// changed over to MaybeUninit. (Triggers a panic on latest Rust).
//let mut x: ArrayQueue<[Box<i32>; 3]> = ArrayQueue::new();
//x.push_back(&Box::new(1));
}
}