You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed some panic safety issues in the prune and insert_item functions:
// We have an exact priority match. Drop the old item and
// replace it with the new.
core::ptr::drop_in_place(start_ptr.add(idx));
core::ptr::write(start_ptr.add(idx), new_item);
}
}
This isn't too big of an issue right now because Topq currently leaks memory when it goes out of scope because the queue is wrapped in MaybeUninit. However, this can lead to double-frees if Topq was updated to free the memory or if someone called these methods indirectly through their drop code.
Namely, if the user provided type T panics during the drop_in_place operations, the Topq can be left in an inconsistent state and when it unwinds it can cause the same element to be dropped again.
The text was updated successfully, but these errors were encountered:
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed some panic safety issues in the
pruneandinsert_itemfunctions:topq/src/lib.rs
Lines 163 to 174 in 8cc1e75
topq/src/lib.rs
Lines 106 to 114 in 8cc1e75
This isn't too big of an issue right now because
Topqcurrently leaks memory when it goes out of scope because the queue is wrapped inMaybeUninit. However, this can lead to double-frees ifTopqwas updated to free the memory or if someone called these methods indirectly through their drop code.Namely, if the user provided type
Tpanics during thedrop_in_placeoperations, theTopqcan be left in an inconsistent state and when it unwinds it can cause the same element to be dropped again.The text was updated successfully, but these errors were encountered: