Double free in Vec::from_iter specialization when drop panics #83618
Labels
A-collections
Area: std::collections.
A-destructors
Area: destructors (Drop, ..)
C-bug
Category: This is a bug.
I-unsound
Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
P-critical
Critical priority
T-libs
Relevant to the library team, which will review and decide on the PR/issue.
rust/library/alloc/src/vec/source_iter_marker.rs
Lines 71 to 72 in 4a20eb6
rust/library/alloc/src/vec/into_iter.rs
Lines 88 to 93 in 4a20eb6
SpecFromIter<T, I> for Vec<T>callsVec::IntoIter::drop_remaining().drop_remaining()callsdrop_in_place()before overwriting the pointer. As a result, dropped elements are not invalidated and dropped again under panic.PoC:
Output:
Tested with
rustc 1.51.0. Here is a playground link to the code snippet.The text was updated successfully, but these errors were encountered: