mathieu/os-rust
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rollup merge of #91797 - the8472:fix-invalid-deref, r=Mark-Simulacrum

Browse source 
Fix zero-sized reference to deallocated memory

fixes #91772

r? `@camelid`
This commit is contained in:
Matthias Krüger 2021-12-11 23:31:54 +01:00 committed by GitHub
commit 9aade508d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
library/alloc/src/vec/drain.rs
View file

@ -128,10 +128,6 @@ impl<T, A: Allocator> Drop for Drain<'_, T, A> {
let iter = mem::replace(&mut self.iter, (&mut []).iter());
let drop_len = iter.len();
let drop_ptr = iter.as_slice().as_ptr();
// forget iter so there's no aliasing reference
drop(iter);
let mut vec = self.vec;
@ -155,6 +151,12 @@ impl<T, A: Allocator> Drop for Drain<'_, T, A> {
return;
}
// as_slice() must only be called when iter.len() is > 0 because
// vec::Splice modifies vec::Drain fields and may grow the vec which would invalidate
// the iterator's internal pointers. Creating a reference to deallocated memory
// is invalid even when it is zero-length
let drop_ptr = iter.as_slice().as_ptr();
unsafe {
// drop_ptr comes from a slice::Iter which only gives us a &[T] but for drop_in_place
// a pointer with mutable provenance is necessary. Therefore we must reconstruct