Allocator exposes undefined behavior to safe code

DelSkayn / rquickjs

High level bindings to the quickjs javascript engine

MIT License

434 stars 59 forks source link

Allocator exposes undefined behavior to safe code #264

Closed dtolnay closed 4 months ago

dtolnay commented 4 months ago

This is an example of a use-after-free and double-free in safe code, which is not supposed to happen:

// [dependencies]
// rquickjs = { version = "0.4.3", features = ["allocator"] }

use rquickjs::allocator::{Allocator, RustAllocator};

fn main() {
    let mut s = ".".repeat(40);
    RustAllocator.dealloc(s.as_mut_ptr().wrapping_add(8));
    println!("{:?}", s);
}

$ cargo run
"\u{4}|3tpU\0\0üîa?É:ö........................"
free(): double free detected in tcache 2
Aborted (core dumped)

DelSkayn commented 4 months ago

Thanks for pointing this out!

The Allocator methods should indeed be marked as unsafe functions.

DelSkayn commented 4 months ago

This is fixed in the latest version.