Closed Shnatsel closed 5 years ago
This code might also be affected: https://github.com/sile/libflate/blob/0f565d36d10d5b163b5c3c208c162dd5b8c8c87a/src/gzip.rs#L1122
Thank you for your detailed report. I would like to fix unsound code one by one.
This seems to be the only occurrence of this issue. Everywhere else read_exact()
is passed properly initialized buffers.
Fixed by the linked PR.
The following code is unsound:
https://github.com/sile/libflate/blob/0f565d36d10d5b163b5c3c208c162dd5b8c8c87a/src/deflate/decode.rs#L86-L91
The slice passed to
read_exact()
is uninitialized. This uses a Read implementation supplied by the API user, and there is no guarantee that it will never read from the provided buffer. If it does, it may cause a memory disclosure vulnerability.Similar bug in Rust MP4 parser for reference: https://github.com/mozilla/mp4parse-rust/issues/172
The equivalent code in stdlib initializes the vector with zeroes before growing it: https://doc.rust-lang.org/src/std/io/mod.rs.html#355-391
There have been some language proposals to create a contract for never reading from the buffer in this case, but they have not been stabilized: https://github.com/rust-lang/rust/issues/42788
For now replacing
unsafe { self.buffer.set_len(old_len + len as usize) };
withself.buffer.resize(old_len + len as usize, 0);
should fix it.I have not read all of the unsafe code in libflate, there may be similar issues in other unsafe blocks, which is why I'm opening an issue instead of a PR right away.