httparse icon indicating copy to clipboard operation
httparse copied to clipboard
verified publisher icon seanmonstar

Bytes::peek_ahead is unsound

Open hkBst opened this issue 1 year ago • 2 comments

If n is large enough to cause wrapping then self.cursor.wrapping_add(n) would likely be less than self.start. Either saturating_add is needed, or a test that n < end - cursor.

https://github.com/seanmonstar/httparse/blob/master/src/iter.rs#L44-L55

Edit: actually saturating_add does not (yet?) exist for pointer arithmetic

hkBst avatar Oct 19 '24 21:10 hkBst

Hm, that does seem true. I'll just note that a search of the method shows it's only ever used correctly. Actually, it's only used once, to check for the 5th byte after comparing the previous 4. That usage could probably be touched up... Though I recognize that match was very specifically tuned to improve performance...

seanmonstar avatar Oct 21 '24 19:10 seanmonstar

Right, there is only a single use as you noted, here: https://github.com/seanmonstar/httparse/blob/97c7e6e23672df1482930bdcd5ff1eae3dbecf16/src/lib.rs#L843-L867

and the computed pointer is at most one element past the end of the bytes slice, but that also means that there is no need for wrapping_add instead of add. I've made a PR inlining this function and removing it: #188.

hkBst avatar Oct 22 '24 20:10 hkBst