From ebe402dc9e708a8ed5e5860a7b30ea7826ab52a1 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Mon, 11 Jan 2021 07:27:03 -0500 Subject: [PATCH] Fix handling of malicious Readers in read_to_end --- library/std/src/io/mod.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs index 7ad9e446c599..0bc0e0e8e83d 100644 --- a/library/std/src/io/mod.rs +++ b/library/std/src/io/mod.rs @@ -390,7 +390,14 @@ where ret = Ok(g.len - start_len); break; } - Ok(n) => g.len += n, + Ok(n) => { + // We can't let g.len overflow which would result in the vec shrinking when the function returns. In + // particular, that could break read_to_string if the shortened buffer doesn't end on a UTF-8 boundary. + // The minimal check would just be a checked_add, but this assert is a bit more precise and should be + // just about the same cost. + assert!(n <= g.buf.len() - g.len); + g.len += n; + } Err(ref e) if e.kind() == ErrorKind::Interrupted => {} Err(e) => { ret = Err(e);