Hi there, we detected a few potential panic safety issues in this library.
double free will appear mainly caused by panic happened between Box::from_raw and std::mem::forget.
example as follows:
|
pub unsafe extern "C" fn mesh_read(mesh: *mut Mesh, path: *const libc::c_char) -> bool { |
|
let mut zms = Box::from_raw(mesh); |
|
|
|
let path_str = CStr::from_ptr(path).to_str().unwrap_or_default(); |
|
let p = PathBuf::from(path_str); |
|
|
|
let res = zms.read_from_path(&p).is_ok(); |
|
|
|
std::mem::forget(zms); |
|
res |
|
} |
When panic occurs in let res = zms.read_from_path(&p).is_ok(); or the other codes between Box::from_raw and std::mem::forget , the zms will be dropped in unwinding and make the mesh an empty pointer, which will cause double-free bug in the upper function.
You can use mem:ManuallyDrop::new(Box::from_raw(mesh)) instead to avoid this problem.
This type of bug is difficult to detect with test cases, but it does pose a security risk.
Hi there, we detected a few potential panic safety issues in this library.
double free will appear mainly caused by panic happened between
Box::from_rawandstd::mem::forget.example as follows:
rose-tools/rose-lib-ffi/src/zms.rs
Lines 18 to 28 in 11fc557
When panic occurs in
let res = zms.read_from_path(&p).is_ok();or the other codes betweenBox::from_rawandstd::mem::forget, thezmswill be dropped in unwinding and make themeshan empty pointer, which will cause double-free bug in the upper function.You can use
mem:ManuallyDrop::new(Box::from_raw(mesh))instead to avoid this problem.This type of bug is difficult to detect with test cases, but it does pose a security risk.