From 60ed6a152e2cb482654a307649e0b014c47e281b Mon Sep 17 00:00:00 2001 From: Eliza Weisman Date: Mon, 13 Mar 2017 11:53:31 -0400 Subject: [PATCH] fix(elf): fix arbitrary lifetime in elf::extract_from_slice For issue #91 --- elf/src/lib.rs | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/elf/src/lib.rs b/elf/src/lib.rs index 833cdc56..c5135bce 100644 --- a/elf/src/lib.rs +++ b/elf/src/lib.rs @@ -92,7 +92,12 @@ where Word: ElfWord + 'a /// /// This is essentially just a _slightly_ safer wrapper around /// [`slice::from_raw_parts`]. Unlike `from_raw_parts`, this function takes -/// a valid byte slice, rather than a pointer. +/// a valid byte slice, rather than a pointer. Therefore, some of the safety +/// issues with `from_raw_parts` are avoided: +/// +/// + the lifetime (`'slice`) of the returned slice should be the same as the +/// lifetime of the input slice (`data`), rather than inferred arbitrarily. +/// + this function will panic rather than reading past the end of the slice. /// /// # Arguments /// @@ -106,8 +111,6 @@ where Word: ElfWord + 'a /// While this function is safer than [`slice::from_raw_parts`], /// it is still unsafe for the following reasons: /// -/// + The lifetime of the returned slice is inferred by `from_raw_parts`, and -/// is not necessarily tied to the lifetime of `data`. /// + The contents of `data` may not be able to be interpreted as instances of /// type `T`. /// + `offset` may not be aligned on a `T`-sized boundary. @@ -133,22 +136,20 @@ where Word: ElfWord + 'a // - eliza, 03/09/2017 /// TODO: should this be refactored to return a `Result`? // - eliza, 03/13/2017 -/// TODO: can we ensure that the lifetime of the returned slice is the same -/// as the lifetime of the input byte slice, rather than inferred by -/// [`slice::from_raw_parts`]? -// - eliza, 03/13/2017 /// TODO: assert that `offset` is aligned on a `T`-sized boundary // - eliza, 03/13/2017 /// TODO: do we want to assert that `offset` is less than the length of `data` /// separately from asserting that the slice is long enough, so that /// we can panic with different messages? // - eliza, 03/13/2017 +/// TODO: refactor this to take a `RangeArgument`? +// - eliza, 03/13/2017 /// /// [`slice::from_raw_parts`]: https://doc.rust-lang.org/stable/std/slice/fn.from_raw_parts.html -unsafe fn extract_from_slice( data: &[u8] - , offset: usize - , n: usize) - -> &[T] { +unsafe fn extract_from_slice<'slice, T: Sized>( data: &'slice [u8] + , offset: usize + , n: usize) + -> &'slice [T] { assert!( data.len() - offset >= mem::size_of::() * n , "Slice too short to contain {} objects of type {}" , n