std: Check for overflow in `str::repeat`

This commit fixes a buffer overflow issue in the standard library
discovered by Scott McMurray where if a large number was passed to
`str::repeat` it may cause and out of bounds write to the buffer of a `Vec`.
This bug was accidentally introduced in #48657 when optimizing the
`str::repeat` function. The bug affects stable Rust releases 1.26.0 to
1.29.0. We plan on backporting this fix to create a 1.29.1 release, and
the 1.30.0 release onwards will include this fix.

The fix in this commit is to introduce a deterministic panic in the case of
capacity overflow. When repeating a slice where the resulting length is larger
than the address space, there’s no way it can succeed anyway!

The standard library and surrounding libraries were briefly checked to see if
there were othere instances of preallocating a vector with a calculation that
may overflow. No instances of this bug (out of bounds write due to a calculation
overflow) were found at this time.

Note that this commit is the first steps towards fixing this issue,
we'll be making a formal post to the Rust security list once these
commits have been merged.

diff --git a/src/liballoc/slice.rs b/src/liballoc/slice.rs
index 9d442b3e00ca074ea7b6d1584272923bc8b922ef..6c0b1c33a1f7673ee3c4a2ed40a789214a20be4d 100644 (file)
--- a/src/liballoc/slice.rs
+++ b/src/liballoc/slice.rs
@@ -392,6 +392,10 @@ pub fn into_vec(self: Box<Self>) -> Vec<T> {
 
     /// Creates a vector by repeating a slice `n` times.
     ///
+    /// # Panics
+    ///
+    /// This function will panic if the capacity would overflow.
+    ///
     /// # Examples
     ///
     /// Basic usage:
@@ -403,6 +407,16 @@ pub fn into_vec(self: Box<Self>) -> Vec<T> {
     ///     assert_eq!([1, 2].repeat(3), vec![1, 2, 1, 2, 1, 2]);
     /// }
     /// ```
+    ///
+    /// A panic upon overflow:
+    ///
+    /// ```should_panic
+    /// #![feature(repeat_generic_slice)]
+    /// fn main() {
+    ///     // this will panic at runtime
+    ///     b"0123456789abcdef".repeat(usize::max_value());
+    /// }
+    /// ```
     #[unstable(feature = "repeat_generic_slice",
                reason = "it's on str, why not on slice?",
                issue = "48784")]
@@ -417,7 +431,7 @@ pub fn repeat(&self, n: usize) -> Vec<T> where T: Copy {
         // and `rem` is the remaining part of `n`.
 
         // Using `Vec` to access `set_len()`.
-        let mut buf = Vec::with_capacity(self.len() * n);
+        let mut buf = Vec::with_capacity(self.len().checked_mul(n).expect("capacity overflow"));
 
         // `2^expn` repetition is done by doubling `buf` `expn`-times.
         buf.extend(self);

diff --git a/src/liballoc/str.rs b/src/liballoc/str.rs
index c451a051c74dcbfc2a7c92b209d05238ef92d3b6..2af89562d69fe1d0a6f37c07350c212117c8b131 100644 (file)
--- a/src/liballoc/str.rs
+++ b/src/liballoc/str.rs
@@ -515,6 +515,10 @@ pub fn into_string(self: Box<str>) -> String {
 
     /// Creates a new [`String`] by repeating a string `n` times.
     ///
+    /// # Panics
+    ///
+    /// This function will panic if the capacity would overflow.
+    ///
     /// [`String`]: string/struct.String.html
     ///
     /// # Examples
@@ -524,6 +528,15 @@ pub fn into_string(self: Box<str>) -> String {
     /// ```
     /// assert_eq!("abc".repeat(4), String::from("abcabcabcabc"));
     /// ```
+    ///
+    /// A panic upon overflow:
+    ///
+    /// ```should_panic
+    /// fn main() {
+    ///     // this will panic at runtime
+    ///     "0123456789abcdef".repeat(usize::max_value());
+    /// }
+    /// ```
     #[stable(feature = "repeat_str", since = "1.16.0")]
     pub fn repeat(&self, n: usize) -> String {
         unsafe { String::from_utf8_unchecked(self.as_bytes().repeat(n)) }