Hi, I hv noticed that there are several dangling pointer used in the pub register_kbd_from_rmlvo function, provided in this crate.
|
pub fn register_kbd_from_rmlvo<ID: 'static>(evqh: &mut EventQueueHandle, kbd: &WlKeyboard, |
|
implem: MappedKeyboardImplementation<ID>, idata: ID, |
|
rmlvo: RMLVO) |
|
-> Result<(), MappedKeyboardError> { |
|
let mut mapped_kbd = KbState::new()?; |
|
|
|
fn to_cstring(s: Option<String>) -> Result<Option<CString>, MappedKeyboardError> { |
|
s.map_or(Ok(None), |s| CString::new(s).map(Option::Some)) |
|
.map_err(|_| MappedKeyboardError::BadNames) |
|
} |
|
|
|
let rules = to_cstring(rmlvo.rules)?; |
|
let model = to_cstring(rmlvo.model)?; |
|
let layout = to_cstring(rmlvo.layout)?; |
|
let variant = to_cstring(rmlvo.variant)?; |
|
let options = to_cstring(rmlvo.options)?; |
|
|
|
let xkb_names = ffi::xkb_rule_names { |
|
rules: rules.map_or(ptr::null(), |s| s.as_ptr()), |
|
model: model.map_or(ptr::null(), |s| s.as_ptr()), |
|
layout: layout.map_or(ptr::null(), |s| s.as_ptr()), |
|
variant: variant.map_or(ptr::null(), |s| s.as_ptr()), |
|
options: options.map_or(ptr::null(), |s| s.as_ptr()), |
|
}; |
The problematic code is from line 408 to line 412, passing dangling pointers to FFI calls after their CString data are already dropped, which are use-after-free bugs.
