Possible use-after-free issues in matrix implementation
Closed this issue · 1 comments
Hi. I am developing a static analysis tool for Rust and it detected some potential vulnerabilities in gmath's matrix implementation, for example function matrix2invert
in file wasm/matrix2.rs
.
First, a buffer ptr
is allocated, then the ownership of ptr
is transferred to a vector mat
using Vec::from_raw_parts
. When function matrix2invert
returns, mat
is deallocated thus the return value ptr
becomes a dangling pointer.
Other functions with similar implementations also have the same issue. I believe this can be fixed by using std::slice::from_raw_parts_mut
, which does not acquire the ownership:
// This should fix the issues
// let mut mat = Vec::from_raw_parts(ptr as *mut f32, LEN, LEN);
let mut mat = std::slice::from_raw_parts_mut(ptr as *mut f32, LEN);
I know nothing about WebAssembly's memory management, so I do not know whether this is a real bug or not. So I am creating this issue and looking for your help.
Thank you very much.
Thank you, this has been an issue I have been meaning to deal with for a while but got sidetracked by some other projects. I will make sure to fix it soon