Merge pull request #963 from schungx/master

schungx · web-flow · commit b4f78896d923 · 2025-03-11T20:48:02.000+08:00
Fix integer overflow bug
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,15 @@
 Rhai Release Notes
 ==================
 
+Version 1.22.0
+==============
+
+Bug fixes
+---------
+
+* (Fuzzing) An integer-overflow bug from an inclusive range in `get_bits` is fixed.
+
+
 Version 1.21.0
 ==============
 
diff --git a/Cargo.toml b/Cargo.toml
@@ -36,7 +36,7 @@ serde_json = { version = "1.0.45", default-features = false, features = ["alloc"
 unicode-xid = { version = "0.2.0", default-features = false, optional = true }
 rust_decimal = { version = "1.16.0", default-features = false, features = ["maths"], optional = true }
 getrandom = { version = "0.2.0", optional = true }
-rustyline = { version = "13.0.0", optional = true }
+rustyline = { version = "15.0.0", optional = true }
 document-features = { version = "0.2.0", optional = true }
 arbitrary = { version = "1.3.2", optional = true, features = ["derive"] }
 
@@ -164,7 +164,7 @@ features = ["document-features", "metadata", "serde", "internals", "decimal", "d
 [patch.crates-io]
 # Notice that a custom modified version of `rustyline` is used which supports bracketed paste on Windows.
 # This can be moved to the official version when bracketed paste is added.
-rustyline = { git = "https://github.com/schungx/rustyline", branch = "v13" }
+rustyline = { git = "https://github.com/schungx/rustyline", branch = "v15_fake" }
 
 # Patch SmartString to resolve an UB issue.
 #smartstring = { git = "https://github.com/bodil/smartstring", ref = "refs/pull/34/head" }
diff --git a/codegen/src/lib.rs b/codegen/src/lib.rs
@@ -312,7 +312,7 @@ pub fn derive_custom_type(input: TokenStream) -> TokenStream {
 /// Macro to automatically expose a Rust function, type-def or use statement as `pub` when under the
 /// `internals` feature.
 ///
-/// If the `internals` is not enabled, the item will be exposed as `pub(crate)`.
+/// If the `internals` feature is not enabled, the item will be exposed as `pub(crate)`.
 ///
 /// In order to avoid confusion, there must not be any visibility modifier on the item.
 #[proc_macro_attribute]
diff --git a/src/packages/bit_field.rs b/src/packages/bit_field.rs
@@ -2,7 +2,7 @@ use crate::eval::calc_index;
 use crate::plugin::*;
 use crate::{
     def_package, ExclusiveRange, InclusiveRange, Position, RhaiResultOf, ERR, INT, INT_BITS,
-    UNSIGNED_INT,
+    MAX_USIZE_INT, UNSIGNED_INT,
 };
 #[cfg(feature = "no_std")]
 use std::prelude::v1::*;
@@ -106,6 +106,12 @@ mod bit_field_functions {
     pub fn get_bits_range_inclusive(value: INT, range: InclusiveRange) -> RhaiResultOf<INT> {
         let from = INT::max(*range.start(), 0);
         let to = INT::max(*range.end(), from - 1);
+
+        #[allow(clippy::cast_sign_loss, clippy::cast_possible_truncation)]
+        if to > MAX_USIZE_INT || (to as usize) >= INT_BITS {
+            return Err(ERR::ErrorBitFieldBounds(INT_BITS, to, Position::NONE).into());
+        }
+
         get_bits(value, from, to - from + 1)
     }
     /// Return a portion of bits in the number as a new number.
@@ -126,6 +132,11 @@ mod bit_field_functions {
         if bits <= 0 {
             return Ok(0);
         }
+        let bits = if bits > MAX_USIZE_INT {
+            MAX_USIZE_INT
+        } else {
+            bits
+        };
 
         let bit = calc_index(INT_BITS, start, true, || {
             ERR::ErrorBitFieldBounds(INT_BITS, start, Position::NONE).into()
diff --git a/src/tokenizer.rs b/src/tokenizer.rs
@@ -1195,23 +1195,23 @@ pub trait InputStream {
 ///
 /// # Returns
 ///
-/// | Type                      | Return Value                        |`state.is_within_text_terminated_by`  |
-/// |---------------------------|:-----------------------------------:|:------------------------------------:|
-/// |`#"hello"#`                |`StringConstant("hello")`            |`None`                                |
-/// |`#"hello`_{EOF}_           |`StringConstant("hello")`            |`Some("#")`                           |
-/// |`####"hello`_{EOF}_        |`StringConstant("hello")`            |`Some("####")`                        |
-/// |`#" "hello" "`_{EOF}_      |`LexError`                           |`None`                                |
-/// |`#""hello""#`              |`StringConstant("\"hello\"")`        |`None`                                |
-/// |`##"hello #"# world"##`    |`StringConstant("hello #\"# world")` |`None`                                |
-/// |`#"R"#`                    |`StringConstant("R")`                |`None`                                |
-/// |`#"\x52"#`                 |`StringConstant("\\x52")`            |`None`                                |
+/// | Type                      | Return Value                                                 |`state.is_within_text_terminated_by`  |
+/// |---------------------------|:------------------------------------------------------------:|:------------------------------------:|
+/// |`#"hello"#`                |[`StringConstant("hello")`][Token::StringConstant]            |`None`                                |
+/// |`#"hello`_{EOF}_           |[`StringConstant("hello")`][Token::StringConstant]            |`Some("#")`                           |
+/// |`####"hello`_{EOF}_        |[`StringConstant("hello")`][Token::StringConstant]            |`Some("####")`                        |
+/// |`#" "hello" "`_{EOF}_      |[`LexError`]                                                  |`None`                                |
+/// |`#""hello""#`              |[`StringConstant("\"hello\"")`][Token::StringConstant]        |`None`                                |
+/// |`##"hello #"# world"##`    |[`StringConstant("hello #\"# world")`][Token::StringConstant] |`None`                                |
+/// |`#"R"#`                    |[`StringConstant("R")`][Token::StringConstant]                |`None`                                |
+/// |`#"\x52"#`                 |[`StringConstant("\\x52")`][Token::StringConstant]            |`None`                                |
 ///
-/// This function does _not_ throw a `LexError` for an unterminated raw string at _{EOF}_
+/// This function does _not_ throw a [`LexError`] for an unterminated raw string at _{EOF}_
 ///
 /// This is to facilitate using this function to parse a script line-by-line, where the end of the
 /// line (i.e. _{EOF}_) is not necessarily the end of the script.
 ///
-/// Any time a [`StringConstant`][`Token::StringConstant`] is returned with
+/// Any time a [`StringConstant`][Token::StringConstant] is returned with
 /// `state.is_within_text_terminated_by` set to `Some(_)` is one of the above conditions.
 pub fn parse_raw_string_literal(
     stream: &mut (impl InputStream + ?Sized),
@@ -1321,18 +1321,18 @@ pub fn parse_raw_string_literal(
 ///
 /// # Returns
 ///
-/// | Type                            | Return Value               |`state.is_within_text_terminated_by`|
-/// |---------------------------------|:--------------------------:|:----------------------------------:|
-/// |`"hello"`                        |`StringConstant("hello")`   |`None`                              |
-/// |`"hello`_{LF}_ or _{EOF}_        |`LexError`                  |`None`                              |
-/// |`"hello\`_{EOF}_ or _{LF}{EOF}_  |`StringConstant("hello")`   |`Some('"')`                         |
-/// |`` `hello``_{EOF}_               |`StringConstant("hello")`   |``Some('`')``                       |
-/// |`` `hello``_{LF}{EOF}_           |`StringConstant("hello\n")` |``Some('`')``                       |
-/// |`` `hello ${``                   |`InterpolatedString("hello ")`<br/>next token is `{`|`None`      |
-/// |`` } hello` ``                   |`StringConstant(" hello")`  |`None`                              |
-/// |`} hello`_{EOF}_                 |`StringConstant(" hello")`  |``Some('`')``                       |
+/// | Type                            | Return Value                                        |`state.is_within_text_terminated_by`|
+/// |---------------------------------|:---------------------------------------------------:|:----------------------------------:|
+/// |`"hello"`                        |[`StringConstant("hello")`][Token::StringConstant]   |`None`                              |
+/// |`"hello`_{LF}_ or _{EOF}_        |[`LexError`]                                         |`None`                              |
+/// |`"hello\`_{EOF}_ or _{LF}{EOF}_  |[`StringConstant("hello")`][Token::StringConstant]   |`Some('"')`                         |
+/// |`` `hello``_{EOF}_               |[`StringConstant("hello")`][Token::StringConstant]   |``Some('`')``                       |
+/// |`` `hello``_{LF}{EOF}_           |[`StringConstant("hello\n")`][Token::StringConstant] |``Some('`')``                       |
+/// |`` `hello ${``                   |[`InterpolatedString("hello ")`][Token::InterpolatedString]<br/>next token is `{`|`None`  |
+/// |`` } hello` ``                   |[`StringConstant(" hello")`][Token::StringConstant]  |`None`                              |
+/// |`} hello`_{EOF}_                 |[`StringConstant(" hello")`][Token::StringConstant]  |``Some('`')``                       |
 ///
-/// This function does not throw a `LexError` for the following conditions:
+/// This function does not throw a [`LexError`] for the following conditions:
 ///
 /// * Unterminated literal string at _{EOF}_
 ///
@@ -1341,7 +1341,7 @@ pub fn parse_raw_string_literal(
 /// This is to facilitate using this function to parse a script line-by-line, where the end of the
 /// line (i.e. _{EOF}_) is not necessarily the end of the script.
 ///
-/// Any time a [`StringConstant`][`Token::StringConstant`] is returned with
+/// Any time a [`StringConstant`][Token::StringConstant] is returned with
 /// `state.is_within_text_terminated_by` set to `Some(_)` is one of the above conditions.
 pub fn parse_string_literal(
     stream: &mut (impl InputStream + ?Sized),
diff --git a/tests/get_set.rs b/tests/get_set.rs
@@ -163,12 +163,12 @@ fn test_get_set_chain_without_write_back() {
 
     engine
         .register_type::<Inner>()
-        .register_get_set("value", |t: &mut Inner| t.value, |_: NativeCallContext, _: &mut Inner, new: INT| panic!("Inner::value setter called with {}", new))
+        .register_get_set("value", |t: &mut Inner| t.value, |_: NativeCallContext, _: &mut Inner, new: INT| -> () { panic!("Inner::value setter called with {}", new) })
         .register_type::<Outer>()
-        .register_get_set("inner", |_: NativeCallContext, t: &mut Outer| t.inner.clone(), |_: &mut Outer, new: Inner| panic!("Outer::inner setter called with {:?}", new));
+        .register_get_set("inner", |_: NativeCallContext, t: &mut Outer| t.inner.clone(), |_: &mut Outer, new: Inner| -> () { panic!("Outer::inner setter called with {:?}", new) });
 
     #[cfg(not(feature = "no_index"))]
-    engine.register_indexer_get_set(|t: &mut Outer, n: INT| Inner { value: t.inner.value * n }, |_: &mut Outer, n: INT, new: Inner| panic!("Outer::inner index setter called with {} and {:?}", n, new));
+    engine.register_indexer_get_set(|t: &mut Outer, n: INT| Inner { value: t.inner.value * n }, |_: &mut Outer, n: INT, new: Inner| -> () { panic!("Outer::inner index setter called with {} and {:?}", n, new) });
 
     assert_eq!(engine.eval_with_scope::<INT>(&mut scope, "outer.inner.value").unwrap(), 42);
 
