search

xiph / rav1e

The fastest and safest AV1 encoder.
BSD 2-Clause "Simplified" License
3.73k stars 253 forks source link

AlignedBoxedSlice is unsound #3370

Closed FreezyLemon closed 7 months ago

FreezyLemon commented 8 months ago

AlignedBoxedSlice<T> is unsound in multiple places:

  1. The safety invariants of Layout::from_size_align_unchecked are not always fulfilled: The size parameter can overflow isize for some lengths
  2. NonNull::new_unchecked(alloc(...)): alloc can return a null pointer on allocation failure
  3. The initialization code in AlignedBoxedSlice::new creates a mutable slice from uninitialized memory (instead of ptr::write or MaybeUninit)

Pretty much the same problems also existed in v_frame. Those were fixed, more issues were found and the implementation was ultimately replaced and aligned-vec was used instead. I think it could be used in rav1e too. Maybe Aligned<T> and the entirety of align.rs could be removed then because it also has an unsound function.

lu-zero commented 8 months ago

Moving to aligned-vec sounds overall a good idea (and probably we could poke a bit to have those facilities in std directly)