Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in test case webp_data::tests::test_encoder #26

Open
icmccorm opened this issue Dec 11, 2023 · 0 comments
Open

Null pointer dereference in test case webp_data::tests::test_encoder #26

icmccorm opened this issue Dec 11, 2023 · 0 comments

Comments

@icmccorm
Copy link

I've been developing an experimental version of Miri that can execute foreign functions by interpreting LLVM bytecode.

Miri found the following error when executing the test webp_data::tests::test_encoder at version 0.9.0 of webp-animation.

error: Undefined Behavior: dereferencing pointer failed: null pointer is a dangling pointer (it has no provenance)
   --> .../rust/library/core/src/slice/raw.rs:101:9
    |
101 |         &*ptr::slice_from_raw_parts(data, len)
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ dereferencing pointer failed: null pointer is a dangling pointer (it has no provenance)
    |
    = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
    = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
    = note: BACKTRACE:
    = note: inside `std::slice::from_raw_parts::<'_, u8>` at .../rust/library/core/src/slice/raw.rs:101:9: 101:47
note: inside `webp_data::WebPData::as_slice`
   --> src/webp_data.rs:27:18
    |
27  |         unsafe { slice::from_raw_parts(self.data.bytes, self.data.size) }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: inside `<webp_data::WebPData as std::ops::Deref>::deref`
   --> src/webp_data.rs:41:9
    |
41  |         self.as_slice()
    |         ^^^^^^^^^^^^^^^
note: inside `webp_data::tests::test_encoder`
   --> src/webp_data.rs:58:20
    |
58  |         assert_eq!(data.len(), 0);
    |                    ^^^^^^^^^^
note: inside closure
   --> src/webp_data.rs:56:23
    |
55  |     #[test]
    |     ------- in this procedural macro expansion
56  |     fn test_encoder() {
    |

It seems like WebPData::new() does not actually initialize the WebPData struct to point to valid memory. In particular, here's where data is initialized in Rust:

let mut data = mem::zeroed();
webp::WebPDataInit(&mut data);
data

It seems like webp::WebPDataInit just zero-initializes the memory that it's passed:

static inline void WebPDataInit(WebPData* webp_data) {
  if (webp_data != ((void*)0)) {
    memset(webp_data, 0, sizeof(*webp_data));
  }
}

However, this shouldn't be necessary, since the memory being referenced has already been initialized by mem::zeroed() in Rust. Anyway, it seems like the implementation of WebPData::as_slice needs to account for the case when data is NULL.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@icmccorm