Rust soundness fixes (#7518)

* Rust soundness fixes * Second pass * Make init_from_table unsafe * Remove SafeSliceAccess * Clippy * Remove create_vector_of_strings * More clippy * Remove deprecated root type accessors * More soundness fixes * Fix EndianScalar for bool * Add TriviallyTransmutable * Add debug assertions * Review comments * Review feedback
2022-09-29 14:58:49 +01:00
parent dadbff5714
commit 374f8fb5fb
102 changed files with 2673 additions and 2035 deletions
--- a/rust/flatbuffers/src/table.rs
+++ b/rust/flatbuffers/src/table.rs
@@ -18,23 +18,36 @@ use crate::follow::Follow;
 use crate::primitives::*;
 use crate::vtable::VTable;

-#[derive(Clone, Copy, Debug, PartialEq)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub struct Table<'a> {
-    pub buf: &'a [u8],
-    pub loc: usize,
+    buf: &'a [u8],
+    loc: usize,
 }

 impl<'a> Table<'a> {
+    /// # Safety
+    ///
+    /// `buf` must contain a `soffset_t` at `loc`, which points to a valid vtable
    #[inline]
-    pub fn new(buf: &'a [u8], loc: usize) -> Self {
+    pub unsafe fn new(buf: &'a [u8], loc: usize) -> Self {
        Table { buf, loc }
    }
+
    #[inline]
    pub fn vtable(&self) -> VTable<'a> {
-        <BackwardsSOffset<VTable<'a>>>::follow(self.buf, self.loc)
+        // Safety:
+        // Table::new is created with a valid buf and location
+        unsafe { <BackwardsSOffset<VTable<'a>>>::follow(self.buf, self.loc) }
    }
+
+    /// Retrieves the value at the provided `slot_byte_loc` returning `default`
+    /// if no value present
+    ///
+    /// # Safety
+    ///
+    /// The value of the corresponding slot must have type T
    #[inline]
-    pub fn get<T: Follow<'a> + 'a>(
+    pub unsafe fn get<T: Follow<'a> + 'a>(
        &self,
        slot_byte_loc: VOffsetT,
        default: Option<T::Inner>,
@@ -50,19 +63,26 @@ impl<'a> Table<'a> {
 impl<'a> Follow<'a> for Table<'a> {
    type Inner = Table<'a>;
    #[inline]
-    fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+    unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
        Table { buf, loc }
    }
 }

+/// Returns true if data contains a prefix of `ident`
 #[inline]
 pub fn buffer_has_identifier(data: &[u8], ident: &str, size_prefixed: bool) -> bool {
    assert_eq!(ident.len(), FILE_IDENTIFIER_LENGTH);

    let got = if size_prefixed {
-        <SkipSizePrefix<SkipRootOffset<FileIdentifier>>>::follow(data, 0)
+        assert!(data.len() >= SIZE_SIZEPREFIX + SIZE_UOFFSET + FILE_IDENTIFIER_LENGTH);
+        // Safety:
+        // Verified data has sufficient bytes
+        unsafe { <SkipSizePrefix<SkipRootOffset<FileIdentifier>>>::follow(data, 0) }
    } else {
-        <SkipRootOffset<FileIdentifier>>::follow(data, 0)
+        assert!(data.len() >= SIZE_UOFFSET + FILE_IDENTIFIER_LENGTH);
+        // Safety:
+        // Verified data has sufficient bytes
+        unsafe { <SkipRootOffset<FileIdentifier>>::follow(data, 0) }
    };

    ident.as_bytes() == got