rust/library/std
Mara Bos ce48709405
Rollup merge of #80895 - sfackler:read-to-end-ub, r=m-ou-se
Fix handling of malicious Readers in read_to_end

A malicious `Read` impl could return overly large values from `read`, which would result in the guard's drop impl setting the buffer's length to greater than its capacity! ~~To fix this, the drop impl now uses the safe `truncate` function instead of `set_len` which ensures that this will not happen. The result of calling the function will be nonsensical, but that's fine given the contract violation of the `Read` impl.~~

~~The `Guard` type is also used by `append_to_string` which does not pass untrusted values into the length field, so I've copied the guard type into each function and only modified the one used by `read_to_end`. We could just keep a single one and modify it, but it seems a bit cleaner to keep the guard code close to the functions and related specifically to them.~~

To fix this, we now assert that the returned length is not larger than the buffer passed to the method.

For reference, this bug has been present for ~2.5 years since 1.20: ecbb896b9e.

Closes #80894.
2021-01-14 18:00:11 +00:00
..
benches
src Rollup merge of #80895 - sfackler:read-to-end-ub, r=m-ou-se 2021-01-14 18:00:11 +00:00
tests Fix SGX CI, take 3 2020-12-07 15:22:34 +01:00
build.rs Drop support for cloudabi targets 2020-11-22 17:11:41 -05:00
Cargo.toml Update compiler_builtins to 0.1.39 2021-01-07 16:16:36 +09:00