Fix handling of malicious Readers in read_to_end

2021-01-11 07:27:03 -05:00 · 2021-01-11 07:27:03 -05:00 · ebe402dc9e
commit ebe402dc9e
parent c97f11af7b
1 changed files with 8 additions and 1 deletions
--- a/library/std/src/io/mod.rs
+++ b/library/std/src/io/mod.rs
@ -390,7 +390,14 @@ where
                ret = Ok(g.len - start_len);
                break;
            }
-            Ok(n) => g.len += n,
+            Ok(n) => {
+                // We can't let g.len overflow which would result in the vec shrinking when the function returns. In
+                // particular, that could break read_to_string if the shortened buffer doesn't end on a UTF-8 boundary.
+                // The minimal check would just be a checked_add, but this assert is a bit more precise and should be
+                // just about the same cost.
+                assert!(n <= g.buf.len() - g.len);
+                g.len += n;
+            }
            Err(ref e) if e.kind() == ErrorKind::Interrupted => {}
            Err(e) => {
                ret = Err(e);