mirror of
https://github.com/rust-lang/rust.git
synced 2026-04-27 18:57:42 +03:00
Jacob Pratt
f4043f8c09
Fix heap overflow in slice::join caused by misbehaving Borrow This code allocates a buffer using lengths calculated by calling `.borrow()` on some slices, and then copies them over after again calling `.borrow()`. There is no safety-reliable guarantee that these will return the same slices. While this code calls `.borrow()` three times, only one of them is problematic: the others already use checked indexing. I made the test a normal library test, but let me know if it should go elsewhere. Bug discovered by Rust Foundation Security using AI. I'm just helping with the patch as a member of wg-security-response. We do not believe this bug needs embargo, it is a soundness fix for hard-to-trigger unsoundness.