jeaye / ncurses-rs

A low-level ncurses wrapper for Rust
Other
685 stars 99 forks source link

`mvwgetstr`, `getstr`, `mvwinnstr`, and `wgetstr` can produce strings that are invalid UTF-8 #187

Closed thomcc closed 5 years ago

thomcc commented 5 years ago

This is a memory safety problem, since many functions in the rust stdlib are UB if you have a non-utf8 string.

These functions should be changed to ensure that only valid utf8 is input.

See https://github.com/RustSec/advisory-db/issues/106, although it's unclear if there's a way for this to be exploitable (unlike the others).

jeaye commented 5 years ago

Again, same point as before. ncurses-rs does not do any processing on top of just handing data to/from ncurses.

However, I appreciate your intention and I don't want to leave people using ncurses-rs thinking (and apparently knowing nothing about ncurses) that this could possibly be a safe library, so I've added the following: https://github.com/jeaye/ncurses-rs/commit/a52dbb37d93f0dfe07a57ad4e8aaaae8ae448675

I would be open to a PR marking all of the appropriate fns unsafe, but not any more PRs or issues around making ncurses-rs do anything more than its purpose. There are safer TUI libraries for Rust; hell, there are far safer TUI libraries for C, even.

dpc commented 5 years ago

This is note is most certainly not sufficient. Noone is going to read and find it.

All the functions should be marked as unsafe. That's what the language mandates.