Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

read_mp4 can expose uninitialised data to third party code (unsound) #172

Closed
nox opened this issue Feb 19, 2019 · 1 comment
Closed

read_mp4 can expose uninitialised data to third party code (unsound) #172

nox opened this issue Feb 19, 2019 · 1 comment

Comments

@nox
Copy link
Contributor

nox commented Feb 19, 2019

read_mp4 calls read_moov which calls read_pssh which calls read_buf which calls allocate_read_buf and passes its result to Read::read.

mp4parse-rust/mp4parse/src/lib.rs

Lines 2320 to 2321 in 26e614b

if let Ok(mut buf) = allocate_read_buf(size) {
let r = src.read(&mut buf)?;

But the trait Read is not unsafe, and it is never guaranteed to limit itself to writing to its single argument buf, and the result of allocate_read_buf is a vector of uninitialised bytes (that function should be unsafe, btw).

There were discussions about introducing a new unsafe trait in libstd to signal that a Read implementation doesn't read in the writer it's supposed to write to, I don't know what became of it but I just found out about rust-lang/rust#42788 which seems related.
@kinetiknz
Copy link
Collaborator

Thanks for filing this. I wasn't aware of that pitfall for Read, but now that I've re-read the trait's documentation I understand this can happen.

In this particular case:

  • Only the "mp4parse_fallible" path of allocate_read_buf can return an uninitialized vec.
  • The "mp4parse_fallible" feature is only safe to enable within Gecko due to guaranteed allocator sharing between subsystems.
  • Gecko only ever passes in a Read implementation that does not read from the buffer passed in to Read::read.

So this problem can't happen in practice in this code.

However, it's easy to address by initializing the buffer in the "mp4parse_fallible" path and seems worth doing since otherwise allocate_read_buf should be marked unsafe as you mentioned.

kinetiknz added a commit to kinetiknz/mp4parse-rust that referenced this issue Feb 19, 2019
@kinetiknz
Zero initialize Vec returned from mp4parse_falliable branch of alloca…
ddfb009 
…te_read_buf.

Also delete vec_reserve, which is completely unused.

Closes mozilla#172.
kinetiknz added a commit to kinetiknz/mp4parse-rust that referenced this issue Feb 19, 2019
@kinetiknz
Zero initialize Vec returned from mp4parse_fallable branch of allocat…
e93e003 
…e_read_buf.

Also delete vec_reserve, which is completely unused.

Closes mozilla#172.
@kinetiknz kinetiknz mentioned this issue Feb 19, 2019
Merged
kinetiknz added a commit to kinetiknz/mp4parse-rust that referenced this issue Feb 20, 2019
@kinetiknz
Zero initialize Vec returned from mp4parse_fallable branch of allocat…
0e4b046 
…e_read_buf.

Also delete vec_reserve, which is completely unused.

Closes mozilla#172.
kinetiknz added a commit that referenced this issue Feb 20, 2019
@kinetiknz
Zero initialize Vec returned from mp4parse_fallable branch of allocat…
518b082 
…e_read_buf.

Also delete vec_reserve, which is completely unused.

Closes #172.
@Shnatsel Shnatsel mentioned this issue Jun 19, 2019
Closed
@kinetiknz kinetiknz mentioned this issue Mar 2, 2020
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kinetiknz @nox