You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed some panic safety issues in the prune and insert_item functions:
// We have an exact priority match. Drop the old item and
// replace it with the new.
core::ptr::drop_in_place(start_ptr.add(idx));
core::ptr::write(start_ptr.add(idx), new_item);
}
}
This isn't too big of an issue right now because Topq currently leaks memory when it goes out of scope because the queue is wrapped in MaybeUninit. However, this can lead to double-frees if Topq was updated to free the memory or if someone called these methods indirectly through their drop code.
Namely, if the user provided type T panics during the drop_in_place operations, the Topq can be left in an inconsistent state and when it unwinds it can cause the same element to be dropped again.
The text was updated successfully, but these errors were encountered:
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed some panic safety issues in the
prune
andinsert_item
functions:topq/src/lib.rs
Lines 163 to 174 in 8cc1e75
topq/src/lib.rs
Lines 106 to 114 in 8cc1e75
This isn't too big of an issue right now because
Topq
currently leaks memory when it goes out of scope because the queue is wrapped inMaybeUninit
. However, this can lead to double-frees ifTopq
was updated to free the memory or if someone called these methods indirectly through their drop code.Namely, if the user provided type
T
panics during thedrop_in_place
operations, theTopq
can be left in an inconsistent state and when it unwinds it can cause the same element to be dropped again.The text was updated successfully, but these errors were encountered: