Protect Box.unbox from dereferencing null pointer (#16514)

straight-shoota · web-flow · commit ae4cbdba8c0d · 2025-12-20T19:39:23.000+01:00
Unboxing a null pointer leads to invalid memory access when the target type is not nilable.

We can avoid this by raising an explicit exception. This makes `Box.unbox` a little bit safer.

Of course, we can still not protect against any other invalid pointer. But null pointers are easily identifiable as invalid. This is low-hanging fruit for a bit more implicit memory safety.
diff --git a/spec/std/box_spec.cr b/spec/std/box_spec.cr
@@ -57,6 +57,32 @@ describe "Box" do
     Box(Nil).unbox(box).should be_nil
   end
 
+  describe "unboxing a null pointer" do
+    it "returns nil if nilable" do
+      Box(Nil).unbox(Pointer(Void).null).should be_nil
+      Box(String?).unbox(Pointer(Void).null).should be_nil
+      Box(UInt8*).unbox(Pointer(Void).null).should eq Pointer(UInt8).null
+    end
+
+    it "raises if non-nilable" do
+      expect_raises(NilAssertionError, "Unboxing null pointer") do
+        Box(String).unbox(Pointer(Void).null)
+      end
+      expect_raises(NilAssertionError, "Unboxing null pointer") do
+        Box(Int32).unbox(Pointer(Void).null)
+      end
+    end
+
+    it "raises for mixed union" do
+      expect_raises(NilAssertionError, "Unboxing null pointer in mixed union") do
+        Box(Int32 | String?).unbox(Pointer(Void).null)
+      end
+      expect_raises(NilAssertionError, "Unboxing null pointer in mixed union") do
+        Box(Int32?).unbox(Pointer(Void).null)
+      end
+    end
+  end
+
   it "boxing nil in a reference-like union returns a null pointer (#11839)" do
     box = Box.box(nil.as(String?))
     box.address.should eq(0)
diff --git a/src/box.cr b/src/box.cr
@@ -39,13 +39,26 @@ class Box(T)
   # Unboxes a `Void*` into an object of type `T`. Note that for this you must
   # specify T: `Box(T).unbox(data)`.
   #
+  # Raises `NilAssertionError` if *pointer* is null and `T` is not nilable.
+  #
   # WARNING: It is undefined behavior to box an object in one type and unbox it
   # via a different type; in particular, when boxing a `T` and unboxing it as a
   # `T?`, or vice-versa.
   def self.unbox(pointer : Void*) : T
-    {% if T < Pointer || T.union_types.all? { |t| t == Nil || t < Reference } %}
+    {% if T < Pointer %}
+      pointer.as(T)
+    {% elsif T.union_types.all? { |t| t == Nil || t < Reference } %}
+      {% unless T.union_types.any? { |t| t == Nil } %}
+        if pointer.null?
+          raise NilAssertionError.new("Unboxing null pointer")
+        end
+      {% end %}
       pointer.as(T)
     {% else %}
+      if pointer.null?
+        raise NilAssertionError.new("Unboxing null pointer in mixed union")
+      end
+
       pointer.as(self).object
     {% end %}
   end
