NobodyXu
commented
2 months ago Thanks, I think replacing it with RAII should fix it. Would probably submit a PR later, but if you already have one, I'm happy to merge it
Closed daira closed 1 month ago
NobodyXu
commented
2 months ago Thanks, I think replacing it with RAII should fix it. Would probably submit a PR later, but if you already have one, I'm happy to merge it
daira
commented
2 months ago I don't have one.
When auditing changes to
cc, I found a theoretical panic safety issue at https://github.com/rust-lang/cc-rs/commit/227b770f1d52d3e538f0bdfbe3636acb58ccb87d#diff-fbc116db4f047e6e29dac1fc3c5a5f1f759060e9558aff5707624841b57c5258R123-R128 . As an optimization, the code extends the length of the buffer to its capacity (which will cause it to include uninitialized data), and relies on it being set back to contain only initialized data in all code paths. Ifstderr.readpanics and that panic is caught by a caller offorward_available, then the inner buffer ofStderrForwarderwill still contain uninitialized data. I don't think it is likely that this can be triggered maliciously, hence the public issue.