-
|
I want to ask here before making a bug report about this, but I think Lines 157 to 161 in e8566a9
The docs for
However, I'm kind of at a loss to explain how If resizing can invalidate the pointer, then the Rust code is unsound as it contains a potential use-after-free. This could be easily fixed by swapping the order of the two lines of code above (which would require grabbing This smells like a doc bug on the Python side as well (they should note that Or is there some reason that this is definitely sound that I'm not seeing? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
I think your analysis is right -- the reason the test doesn't catch this is that for values <256 there's a small buffer allocated inline in the PyBytesWriter, and the test case's data fits within that: Line 244 in e8566a9 If you extended that to write 1Kb of data it'd fail. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the confirmation. I'm happy to file a bug report against this repo to track the issue, though a bug should probably be filed against the Python docs as well and I'm not sure where to do that. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Thanks, I'll look at filing an issue there. Created #5906. |
Beta Was this translation helpful? Give feedback.
I think your analysis is right -- the reason the test doesn't catch this is that for values <256 there's a small buffer allocated inline in the PyBytesWriter, and the test case's data fits within that:
pyo3/src/byteswriter.rs
Line 244 in e8566a9
If you extended that to write 1Kb of data it'd fail.