Skip to content

Commit

Permalink
Fix potential buffer overflow in insert_many
Browse files Browse the repository at this point in the history 
Fixes servo#252.
  • Loading branch information
@mbrubeck
mbrubeck committed Jan 8, 2021
1 parent 0b2b4e5 commit f41aaaa
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/lib.rs
View file
Expand Up @@ -1041,7 +1041,7 @@ impl<A: Array> SmallVec<A> {
let mut cur = ptr.add(num_added);
if num_added >= lower_size_bound {
// Iterator provided more elements than the hint. Move trailing items again.
self.reserve(1);
self.reserve(guard.len + 1);
let start = self.as_mut_ptr();
ptr = start.add(index);
cur = ptr.add(num_added);
Expand Down
15 changes: 15 additions & 0 deletions src/tests.rs
View file
Expand Up @@ -905,3 +905,18 @@ fn empty_macro() {
fn zero_size_items() {
SmallVec::<[(); 0]>::new().push(());
}

#[test]
fn test_insert_many_overflow() {
let mut v: SmallVec<[u8; 0]> = SmallVec::new();

// Spill on heap
v.push(123);

// Prepare an iterator with small lower bound
let iter = (0u8..=255).filter(|n| n % 2 == 0);
assert_eq!(iter.size_hint().0, 0);

// Triggering the bug
v.insert_many(0, iter);
}

0 comments on commit f41aaaa

Please sign in to comment.