search

not-fl3 / macroquad

Cross-platform game engine in Rust.
Apache License 2.0
3.04k stars 297 forks source link

`Image` fields should be private for soundness #746

Open cyrgani opened 1 week ago

cyrgani commented 1 week ago

The following safe code causes undefined behaviour by reading out of bounds:

fn main() {
    let mut image = macroquad::texture::Image::empty();
    image.width += 1;
    image.height += 1;
    dbg!(image.get_image_data());
}

To fix this, all the fields of Image should become private, which would be a breaking change. The Image::width and Image::height methods for immutable reading already exist as a replacement, along with Image::get_image_data.

Unsafe methods for changing the width and height could be added too if there is a legitimate use case.