search

Speykious / cve-rs

Blazingly 🔥 fast 🚀 memory vulnerabilities, written in 100% safe Rust. 🦀
Other
3.72k stars 94 forks source link

Fix string layout determination #9

Closed elihunter173 closed 4 months ago

elihunter173 commented 4 months ago

The current construct_fake_string() layout determination code is wrong (but luckily works when the layout is [ptr, cap, len]!)

Suppose the real layout is [len, ptr, cap]. Then

sentinel_string.as_ptr() as usize == 1
sentinel_string.capacity() == 2
sentinel_string.len() == 0

Which would cause the previous code to create a string with layout [fields[1], fields[2], fields[0]] == [cap, len, ptr] when it's supposed to create [len, ptr, cap].

The new code would execute

actual_buf[1] = ptr;
actual_buf[2] = cap;
actual_buf[0] = len;

Which would correctly create a string with layout [len, ptr, cap].

Speykious commented 4 months ago

Thank you for catching this!