Hi. I am developing a static analysis tool for Rust and it detected some potential vulnerabilities in gmath's matrix implementation, for example function matrix2invert in file wasm/matrix2.rs.
First, a buffer ptr is allocated, then the ownership of ptr is transferred to a vector mat using Vec::from_raw_parts. When function matrix2invert returns, mat is deallocated thus the return value ptr becomes a dangling pointer.
Other functions with similar implementations also have the same issue. I believe this can be fixed by using std::slice::from_raw_parts_mut, which does not acquire the ownership:
// This should fix the issues
// let mut mat = Vec::from_raw_parts(ptr as *mut f32, LEN, LEN);
let mut mat = std::slice::from_raw_parts_mut(ptr as *mut f32, LEN);
I know nothing about WebAssembly's memory management, so I do not know whether this is a real bug or not. So I am creating this issue and looking for your help.
Thank you very much.
Hi. I am developing a static analysis tool for Rust and it detected some potential vulnerabilities in gmath's matrix implementation, for example function
matrix2invertin filewasm/matrix2.rs.First, a buffer
ptris allocated, then the ownership ofptris transferred to a vectormatusingVec::from_raw_parts. When functionmatrix2invertreturns,matis deallocated thus the return valueptrbecomes a dangling pointer.Other functions with similar implementations also have the same issue. I believe this can be fixed by using
std::slice::from_raw_parts_mut, which does not acquire the ownership:I know nothing about WebAssembly's memory management, so I do not know whether this is a real bug or not. So I am creating this issue and looking for your help.
Thank you very much.