Skip to content

String::replace_range is unsound #81138

New issue
New issue
Closed
#81169
Closed
String::replace_range is unsound#81138
#81169
Labels
A-UnicodeArea: UnicodeC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.
@LunaBorowska

Description

@LunaBorowska
LunaBorowska
opened on Jan 17, 2021 · edited by LunaBorowska
Contributor

It's possible to use String::replace_range to create invalid strings containing broken Unicode. This happens because replace_range checks range bounds twice - first time to check parameter validity and second time for actually doing the splice.

use std::cell::Cell;
use std::ops::{Bound, RangeBounds};
use std::str;

struct EvilRange(Cell<bool>);

impl RangeBounds<usize> for EvilRange {
    fn start_bound(&self) -> Bound<&usize> {
        Bound::Included(if self.0.get() {
            &1
        } else {
            self.0.set(true);
            &0
        })
    }
    fn end_bound(&self) -> Bound<&usize> {
        Bound::Unbounded
    }
}

fn main() {
    let mut s = String::from("🦀");
    s.replace_range(EvilRange(Cell::new(false)), "");
    println!("{:?}", str::from_utf8(s.as_bytes()));
}

This will print Utf8Error showing that a string is not valid UTF-8.

Activity

LunaBorowska
added
C-bugCategory: This is a bug.
on Jan 17, 2021
Mark-Simulacrum
added
I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
T-libsRelevant to the library team, which will review and decide on the PR/issue.
on Jan 17, 2021
rustbot
added
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jan 17, 2021
jyn514
added
A-UnicodeArea: Unicode
on Jan 18, 2021
rylev

rylev commented on Jan 18, 2021

@rylev
rylev
on Jan 18, 2021
Member

Assigning P-high as discussed as part of the Prioritization Working Group procedure and removing I-prioritize.

rylev
added
P-highHigh priority
and removed
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jan 18, 2021
dylni
mentioned this on Jan 18, 2021
bors
added a commit that references this issue on Jan 19, 2021

Auto merge of rust-lang#81169 - dylni:fix-soundness-issue-for-replace…

7d7b22d
bors
closed this as completedin 7d7b22don Jan 19, 2021
ssomers
mentioned this on Mar 15, 2021
dtolnay
mentioned this on Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-UnicodeArea: UnicodeC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityT-libsRelevant to the library team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @LunaBorowska@rylev@Mark-Simulacrum@jyn514@rustbot

      Issue actions
        String::replace_range is unsound · Issue #81138 · rust-lang/rust