Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that in the EventList::From implementation for slices of types that implement Into<Event>:
It grabs the event using ptr::read duplicating the ownership and then calls event.into() which can potentially panic. This can lead to the event being double freed as shown in the example below:
#![forbid(unsafe_code)]
use ocl::{Event, EventList};
struct MyIntoEventType(u32);
impl Drop for MyIntoEventType {
fn drop(&mut self) {
println!("Dropping the MyIntoEventType");
}
}
impl Into<Event> for MyIntoEventType {
fn into(self) -> Event {
panic!("Panicking in Into");
}
}
fn main() {
let slice = [MyIntoEventType(1)];
let event_list = EventList::from(slice);
}
Output:
thread 'main' panicked at 'Panicking in Into', src/main.rs:28:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Dropping the MyIntoEventType
Dropping the MyIntoEventType
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that in the
EventList::From
implementation for slices of types that implementInto<Event>
:https://github.com/cogciprocate/ocl/blob/03086863e95e43033ae67f1530801cb57032e1a3/ocl/src/standard/event.rs#L1040-L1043
It grabs the event using
ptr::read
duplicating the ownership and then callsevent.into()
which can potentially panic. This can lead to theevent
being double freed as shown in the example below:Output: