-
-
Notifications
You must be signed in to change notification settings - Fork 14.9k
Soundness issue in Zip::next() specialization #81740
Copy link
Copy link
Closed
Labels
A-iteratorsArea: IteratorsArea: IteratorsC-bugCategory: This is a bug.Category: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityHigh priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.Relevant to the library team, which will review and decide on the PR/issue.
Description
Metadata
Metadata
Assignees
Labels
A-iteratorsArea: IteratorsArea: IteratorsC-bugCategory: This is a bug.Category: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityHigh priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.Relevant to the library team, which will review and decide on the PR/issue.
Type
Fields
Give feedbackNo fields configured for issues without a type.
rust/library/core/src/iter/adapters/zip.rs
Lines 191 to 211 in e708cbd
rust/library/core/src/iter/adapters/zip.rs
Lines 395 to 396 in e708cbd
There is a panic safety issue in
Zip::next()that allows to call__iterator_get_unchecked()to the same index twice.__iterator_get_unchecked()is called at line 204 and theindexis updated at line 206. If line 204 panics, the index is not updated and the subsequentnext()call will use the same index for__iterator_get_unchecked(). This violates the second safety requirement ofTrustedRandomAccess.Here is a playground link that demonstrates creating two mutable references to the same memory location without using unsafe Rust.