io: fix unsound Buf::ensure_capacity_for

paolobarbolini · paolobarbolini · commit e64152a3e313 · 2024-12-29T18:46:32.000+01:00
diff --git a/tokio/src/io/blocking.rs b/tokio/src/io/blocking.rs
@@ -21,6 +21,7 @@ pub(crate) struct Blocking<T> {
 pub(crate) struct Buf {
     buf: Vec<u8>,
     pos: usize,
+    init_len: usize,
 }
 
 pub(crate) const DEFAULT_MAX_BUF_SIZE: usize = 2 * 1024 * 1024;
@@ -190,6 +191,7 @@ impl Buf {
         Buf {
             buf: Vec::with_capacity(n),
             pos: 0,
+            init_len: 0,
         }
     }
 
@@ -220,6 +222,7 @@ impl Buf {
         let n = cmp::min(src.len(), max_buf_size);
 
         self.buf.extend_from_slice(&src[..n]);
+        self.init_len = cmp::max(self.init_len, self.buf.len());
         n
     }
 
@@ -236,6 +239,18 @@ impl Buf {
             self.buf.reserve(len - self.buf.len());
         }
 
+        if self.init_len < len {
+            debug_assert!(self.init_len < self.buf.capacity(), "init_len of Vec is bigger than the capacity");
+            debug_assert!(len <= self.buf.capacity(), "uninit area of Vec is bigger than the capacity");
+
+            let uninit_len = len - self.init_len;
+            // SAFETY: the area is within the allocation of the Vec
+            unsafe {
+                self.buf.as_mut_ptr().add(self.init_len).write_bytes(0, uninit_len);
+            }
+        }
+
+        // SAFETY: `len` is within the capacity and is init
         unsafe {
             self.buf.set_len(len);
         }
@@ -287,6 +302,7 @@ cfg_fs! {
                 self.buf.extend_from_slice(&buf[..len]);
                 rem -= len;
             }
+            self.init_len = cmp::max(self.init_len, self.buf.len());
 
             max_buf_size - rem
         }

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ pub(crate) struct Blocking<T> {`
`21`	`21`	`pub(crate) struct Buf {`
`22`	`22`	`buf: Vec<u8>,`
`23`	`23`	`pos: usize,`
	`24`	`+ init_len: usize,`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`pub(crate) const DEFAULT_MAX_BUF_SIZE: usize = 2 * 1024 * 1024;`
`@@ -190,6 +191,7 @@ impl Buf {`
`190`	`191`	`Buf {`
`191`	`192`	`buf: Vec::with_capacity(n),`
`192`	`193`	`pos: 0,`
	`194`	`+ init_len: 0,`
`193`	`195`	`}`
`194`	`196`	`}`
`195`	`197`
`@@ -220,6 +222,7 @@ impl Buf {`
`220`	`222`	`let n = cmp::min(src.len(), max_buf_size);`
`221`	`223`
`222`	`224`	`self.buf.extend_from_slice(&src[..n]);`
	`225`	`+ self.init_len = cmp::max(self.init_len, self.buf.len());`
`223`	`226`	`n`
`224`	`227`	`}`
`225`	`228`
`@@ -236,6 +239,18 @@ impl Buf {`
`236`	`239`	`self.buf.reserve(len - self.buf.len());`
`237`	`240`	`}`
`238`	`241`
	`242`	`+ if self.init_len < len {`
	`243`	`+ debug_assert!(self.init_len < self.buf.capacity(), "init_len of Vec is bigger than the capacity");`
	`244`	`+ debug_assert!(len <= self.buf.capacity(), "uninit area of Vec is bigger than the capacity");`
	`245`	`+`
	`246`	`+ let uninit_len = len - self.init_len;`
	`247`	`+ // SAFETY: the area is within the allocation of the Vec`
	`248`	`+ unsafe {`
	`249`	`+ self.buf.as_mut_ptr().add(self.init_len).write_bytes(0, uninit_len);`
	`250`	`+ }`
	`251`	`+ }`
	`252`	`+`
	`253`	+ // SAFETY: `len` is within the capacity and is init
`239`	`254`	`unsafe {`
`240`	`255`	`self.buf.set_len(len);`
`241`	`256`	`}`
`@@ -287,6 +302,7 @@ cfg_fs! {`
`287`	`302`	`self.buf.extend_from_slice(&buf[..len]);`
`288`	`303`	`rem -= len;`
`289`	`304`	`}`
	`305`	`+ self.init_len = cmp::max(self.init_len, self.buf.len());`
`290`	`306`
`291`	`307`	`max_buf_size - rem`
`292`	`308`	`}`