fix #120603 by adding a check in default_read_buf

2024-02-03 11:30:26 +00:00 · 2024-02-03 11:30:26 +00:00 · a27e45a71b
commit a27e45a71b
parent bf3c6c5bed
2 changed files with 22 additions and 1 deletions
--- a/library/std/src/io/mod.rs
+++ b/library/std/src/io/mod.rs
@ -578,8 +578,13 @@ pub(crate) fn default_read_buf<F>(read: F, mut cursor: BorrowedCursor<'_>) -> Re
    F: FnOnce(&mut [u8]) -> Result<usize>,
 {
    let n = read(cursor.ensure_init().init_mut())?;
+    assert!(
+        n <= cursor.capacity(),
+        "read should not return more bytes than there is capacity for in the read buffer"
+    );
    unsafe {
-        // SAFETY: we initialised using `ensure_init` so there is no uninit data to advance to.
+        // SAFETY: we initialised using `ensure_init` so there is no uninit data to advance to
+        // and we have checked that the read amount is not over capacity (see #120603)
        cursor.advance(n);
    }
    Ok(())
--- a/library/std/src/io/tests.rs
+++ b/library/std/src/io/tests.rs
@ -652,3 +652,19 @@ fn bench_take_read_buf(b: &mut test::Bencher) {
        [255; 128].take(64).read_buf(buf.unfilled()).unwrap();
    });
 }
+
+// Issue #120603
+#[test]
+#[should_panic = "read should not return more bytes than there is capacity for in the read buffer"]
+fn read_buf_broken_read() {
+    struct MalformedRead;
+
+    impl Read for MalformedRead {
+        fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+            // broken length calculation
+            Ok(buf.len() + 1)
+        }
+    }
+
+    BufReader::new(MalformedRead).read(&mut [0; 4]).unwrap();
+}