Fix soundness hole in Ref::into_ref and into_mut (#721)

This commit implements the fix for #716 which will be released as a new version in version trains 0.2, 0.3, 0.4, 0.5, 0.6, and 0.7. See #716 for a description of the soundness hole and an explanation of why this fix is chosen. Unfortunately, due to dtolnay/trybuild#241, there is no way for us to write a UI test that will detect a failure post-monomorphization, which is when the code implemented in this change is designed to fail. I have manually verified that unsound uses of these APIs now fail to compile. Release 0.5.2.
google · Dec 13, 2023 · 02f7742 · 02f7742
1 parent cfb2a95
commit 02f7742
Show file tree

Hide file tree

Showing 5 changed files with 373 additions and 82 deletions.
diff --git a/Cargo.toml.crates-io → Cargo.toml b/Cargo.toml.crates-io → Cargo.toml
@@ -7,7 +7,7 @@
 [package]
 edition = "2018"
 name = "zerocopy"
-version = "0.5.1"
+version = "0.5.2"
 authors = ["Joshua Liebow-Feeser <joshlf@google.com>"]
 description = "Utilities for zero-copy parsing and serialization"
 license = "BSD-3-Clause"

diff --git a/src/byteorder.rs b/src/byteorder.rs
@@ -311,9 +311,42 @@ define_type!(
     [u32, u64, u128, usize],
     [U32, U64, U128]
 );
-define_type!(A, U32, u32, 32, 4, read_u32, write_u32, unsigned, [u64, u128], [U64, U128]);
-define_type!(A, U64, u64, 64, 8, read_u64, write_u64, unsigned, [u128], [U128]);
-define_type!(A, U128, u128, 128, 16, read_u128, write_u128, unsigned, [], []);
+define_type!(
+    A,
+    U32,
+    u32,
+    32,
+    4,
+    read_u32,
+    write_u32,
+    unsigned,
+    [u64, u128],
+    [U64, U128]
+);
+define_type!(
+    A,
+    U64,
+    u64,
+    64,
+    8,
+    read_u64,
+    write_u64,
+    unsigned,
+    [u128],
+    [U128]
+);
+define_type!(
+    A,
+    U128,
+    u128,
+    128,
+    16,
+    read_u128,
+    write_u128,
+    unsigned,
+    [],
+    []
+);
 define_type!(
     An,
     I16,
@@ -326,9 +359,42 @@ define_type!(
     [i32, i64, i128, isize],
     [I32, I64, I128]
 );
-define_type!(An, I32, i32, 32, 4, read_i32, write_i32, signed, [i64, i128], [I64, I128]);
-define_type!(An, I64, i64, 64, 8, read_i64, write_i64, signed, [i128], [I128]);
-define_type!(An, I128, i128, 128, 16, read_i128, write_i128, signed, [], []);
+define_type!(
+    An,
+    I32,
+    i32,
+    32,
+    4,
+    read_i32,
+    write_i32,
+    signed,
+    [i64, i128],
+    [I64, I128]
+);
+define_type!(
+    An,
+    I64,
+    i64,
+    64,
+    8,
+    read_i64,
+    write_i64,
+    signed,
+    [i128],
+    [I128]
+);
+define_type!(
+    An,
+    I128,
+    i128,
+    128,
+    16,
+    read_i128,
+    write_i128,
+    signed,
+    [],
+    []
+);
 
 #[cfg(test)]
 mod tests {