Improve safety of get_unchecked_str in nu_system::macos (#12550)

# Description
The implementation of this function had a few issues before:

- It didn't check that the `cp` pointer is actually ahead of the `start`
pointer, so `len` could potentially underflow and wrap around, which
would be a violation of memory safety
- It used `Vec::from_raw_parts` even though the buffer is borrowed, not
owned. Although `std::mem::forget` is used later to ensure the
destructor doesn't run, there is a risk that the destructor would run if
a panic happened during `String::from_utf8_unchecked`, which would lead
to a `free()` of a pointer we don't own
This commit is contained in:
Devyn Cairns 2024-04-17 02:10:05 -07:00 committed by GitHub
parent 9a739d9f0d
commit b296d6ee3c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -146,11 +146,9 @@ pub struct PathInfo {
#[cfg_attr(tarpaulin, ignore)]
unsafe fn get_unchecked_str(cp: *mut u8, start: *mut u8) -> String {
let len = cp as usize - start as usize;
let part = Vec::from_raw_parts(start, len, len);
let tmp = String::from_utf8_unchecked(part.clone());
::std::mem::forget(part);
tmp
let len = (cp as usize).saturating_sub(start as usize);
let part = std::slice::from_raw_parts(start, len);
String::from_utf8_unchecked(part.to_vec())
}
#[cfg_attr(tarpaulin, ignore)]