Remove padding bytes risk in dbghelp with MaybeUninit

As reported in #720, there is a risk that the
current code, by using &mut to a struct with padding fields,
interacts in ways that cause padding bytes to be written to bytes
that Rust originally thought were real and initialized.
If this assumption persists forward in time far enough,
this could possibly cause an issue due to compiler optimizations.

This seems unlikely, but we can fix this by using MaybeUninit and then
addressing the data using raw pointers only. That way, we do not have
to depend on all the data being in initialized states even after calling
SymFromAddrW. Except for the specific fields we read, of course.

Author: workingjubilee

src/symbolize/dbghelp.rs

@@ -19,9 +19,10 @@
 
 use super::super::{dbghelp, windows_sys::*};
 use super::{BytesOrWideString, ResolveWhat, SymbolName};
+use core::cmp;
 use core::ffi::c_void;
 use core::marker;
-use core::mem;
+use core::mem::{self, MaybeUninit};
 use core::ptr;
 use core::slice;
 
@@ -217,19 +218,20 @@ unsafe fn resolve_with_inline(
     Some(())
 }
 
+/// This function is only meant to be called with SymFromAddrW as the argument
 unsafe fn do_resolve(
     sym_from_addr: impl FnOnce(*mut SYMBOL_INFOW) -> BOOL,
     get_line_from_addr: impl FnOnce(&mut IMAGEHLP_LINEW64) -> BOOL,
     cb: &mut dyn FnMut(&super::Symbol),
 ) {
     const SIZE: usize = 2 * MAX_SYM_NAME as usize + mem::size_of::<SYMBOL_INFOW>();
-    let mut data = Aligned8([0u8; SIZE]);
-    let info = unsafe { &mut *data.0.as_mut_ptr().cast::<SYMBOL_INFOW>() };
-    info.MaxNameLen = MAX_SYM_NAME as u32;
+    let mut data = MaybeUninit::<Aligned8<[u8; SIZE]>>::zeroed();
+    let info = data.as_mut_ptr().cast::<SYMBOL_INFOW>();
+    unsafe { (*info).MaxNameLen = MAX_SYM_NAME as u32 };
     // the struct size in C.  the value is different to
     // `size_of::<SYMBOL_INFOW>() - MAX_SYM_NAME + 1` (== 81)
     // due to struct alignment.
-    info.SizeOfStruct = 88;
+    unsafe { (*info).SizeOfStruct = 88 };
 
     if sym_from_addr(info) != TRUE {
         return;
@@ -238,8 +240,10 @@ unsafe fn do_resolve(
     // If the symbol name is greater than MaxNameLen, SymFromAddrW will
     // give a buffer of (MaxNameLen - 1) characters and set NameLen to
     // the real value.
-    let name_len = ::core::cmp::min(info.NameLen as usize, info.MaxNameLen as usize - 1);
-    let name_ptr = info.Name.as_ptr().cast::<u16>();
+    // SAFETY: We assume NameLen has been initialized by SymFromAddrW, and we initialized MaxNameLen
+    let name_len = unsafe { cmp::min((*info).NameLen as usize, (*info).MaxNameLen as usize - 1) };
+    // SAFETY: We assume Name has been initialized by SymFromAddrW
+    let name_ptr = (&raw const (*info).Name).cast::<u16>();
 
     // Reencode the utf-16 symbol to utf-8 so we can use `SymbolName::new` like
     // all other platforms
@@ -296,7 +300,8 @@ unsafe fn do_resolve(
     cb(&super::Symbol {
         inner: Symbol {
             name,
-            addr: info.Address as *mut _,
+            // SAFETY: we assume Address has been initialized by SymFromAddrW
+            addr: unsafe { (*info).Address } as *mut _,
             line: lineno,
             filename,
             _filename_cache: unsafe { cache(filename) },