Unsoundness: oob #29
Description
Hello, My team is developing a static analyzer to check Safe Rust code that may trigger UBs. After downloading the repo from crates.io, we ran our checker and received warnings, leading us to construct cases that can trigger UB in safe code.
I've discovered an unsound issue in the latest version. This seems to have occurred in old versions, and the maintainer marked it as unsafe. However, I'm unsure why it's now being treated as a safe function again. I recommend changing it back to unsafe. :)
use substreams::memory::get_output_data;
fn main() {
// Layout expected by get_output_data:
// [0..4): value_ptr (u32 LE)
// [4..8): value_len (u32 LE)
// We set value_ptr=1 (invalid/non-allocated) and value_len=16.
// get_output_data is SAFE but will construct Vec::from_raw_parts(0x1, 16, 16).
// Dropping that Vec triggers an invalid free/abort (UB) in release builds.
let mut header = [0u8; 8];
header[0..4].copy_from_slice(&1u32.to_le_bytes());
header[4..8].copy_from_slice(&16u32.to_le_bytes());
let v = get_output_data(header.as_mut_ptr());
// Force drop at end of scope (or could touch v to trigger reads).
drop(v);
// If the process didn't abort, something is very wrong; still exit non-zero.
std::process::exit(1);
}