Open
Description
Running this program via RUSTFLAGS=-Zsanitizer=address cargo run yields a use-after-free with dmsort:
use std::cell::Cell;
fn main() {
struct ValWithBox {
val: i32,
heap_val: Cell<Option<Box<str>>>,
}
let pattern = [
19, 25, 3, 23, 27, 17, 24, 21, 5, 22, 16, 12, 6, 7, 20, 15, 18, 14, 10, 9, 0, 2, 4, 11, 8,
28, 29, 1, 26, 13,
];
let comp_panic_count = 24;
let mut test_input = pattern
.iter()
.map(|val| ValWithBox {
val: *val,
heap_val: Cell::new(Some(
"some test heap string xxxx".to_string().into_boxed_str(),
)),
})
.collect::<Vec<_>>();
let mut comp_count = 0;
dmsort::sort_by(&mut test_input, |a, b| {
if comp_count == comp_panic_count {
a.heap_val.set(None);
b.heap_val.set(None);
panic!();
}
comp_count += 1;
a.val.cmp(&b.val)
});
}In one or more places dmsort seems to use auxiliary memory, using said memory to feed the user-provided comparison function, but fails to copy this memory back into the user-provided slice if the comparison panics. These problems can probably be solved with drop guards. I discovered this problem running this test https://github.com/Voultapher/sort-research-rs/blob/main/tests/main.rs#L793.
Metadata
Metadata
Assignees
Labels
No labels