You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, we detected a few potential panic safety issues in this library.
double free will appear mainly caused by panic happened between Box::from_raw and std::mem::forget.
example as follows:
let path_str = CStr::from_ptr(path).to_str().unwrap_or_default();
let p = PathBuf::from(path_str);
let res = zms.read_from_path(&p).is_ok();
std::mem::forget(zms);
res
}
When panic occurs in let res = zms.read_from_path(&p).is_ok(); or the other codes between Box::from_raw and std::mem::forget , the zms will be dropped in unwinding and make the mesh an empty pointer, which will cause double-free bug in the upper function.
You can use mem:ManuallyDrop::new(Box::from_raw(mesh)) instead to avoid this problem.
This type of bug is difficult to detect with test cases, but it does pose a security risk.
The text was updated successfully, but these errors were encountered:
cchanging
changed the title
some panic safety issues that caused double free in unwind branch
some panic safety issues that cause double free in unwind branch
Apr 21, 2021
Hi there, we detected a few potential panic safety issues in this library.
double free will appear mainly caused by panic happened between
Box::from_raw
andstd::mem::forget
.example as follows:
rose-tools/rose-lib-ffi/src/zms.rs
Lines 18 to 28 in 11fc557
When panic occurs in
let res = zms.read_from_path(&p).is_ok();
or the other codes betweenBox::from_raw
andstd::mem::forget
, thezms
will be dropped in unwinding and make themesh
an empty pointer, which will cause double-free bug in the upper function.You can use
mem:ManuallyDrop::new(Box::from_raw(mesh))
instead to avoid this problem.This type of bug is difficult to detect with test cases, but it does pose a security risk.
The text was updated successfully, but these errors were encountered: