From 5607fec7f58f30b96268389714647a27606e044b Mon Sep 17 00:00:00 2001 From: Andrew Poelstra Date: Fri, 2 Dec 2022 12:58:32 +0000 Subject: [PATCH] context: introduce unsafe `PreallocatedContext` trait Fixes unsoundness in `preallocated_gen_new` which previously did not properly constrain the lifetime of the buffer used to back the context object. We introduce an unsafe marker trait, and impl it for our existing preallocated-context markers. Annoyingly the trait has to be public even though it should never be used directly, and is only used alongside the sealed `Context` trait, so it is de-facto sealed itself. Fixes #543 --- src/context.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/context.rs b/src/context.rs index d90d33290..7a6ce2c91 100644 --- a/src/context.rs +++ b/src/context.rs @@ -318,7 +318,15 @@ unsafe impl<'buf> Context for AllPreallocated<'buf> { } } -impl<'buf, C: Context + 'buf> Secp256k1 { +/// Trait marking that a particular context object internally points to +/// memory that must outlive `'a` +pub unsafe trait PreallocatedContext<'a> {} + +unsafe impl<'buf> PreallocatedContext<'buf> for AllPreallocated<'buf> {} +unsafe impl<'buf> PreallocatedContext<'buf> for SignOnlyPreallocated<'buf> {} +unsafe impl<'buf> PreallocatedContext<'buf> for VerifyOnlyPreallocated<'buf> {} + +impl<'buf, C: Context + PreallocatedContext<'buf>> Secp256k1 { /// Lets you create a context with a preallocated buffer in a generic manner (sign/verify/all). pub fn preallocated_gen_new(buf: &'buf mut [AlignedType]) -> Result, Error> { #[cfg(target_arch = "wasm32")] @@ -428,3 +436,4 @@ impl<'buf> Secp256k1> { ManuallyDrop::new(Secp256k1 { ctx: NonNull::new_unchecked(raw_ctx), phantom: PhantomData }) } } +