diff --git a/src/smallvec/debian/changelog b/src/smallvec/debian/changelog index a3c2ef7..a72ee43 100644 --- a/src/smallvec/debian/changelog +++ b/src/smallvec/debian/changelog @@ -1,3 +1,12 @@ +rust-smallvec (1.4.2-2) UNRELEASED-FIXME-AUTOGENERATED-DEBCARGO; urgency=medium + + * Team upload. + * Package smallvec 1.4.2 from crates.io using debcargo 2.4.3 + * Apply upstream patch to fix overflow in insert_many + ( Closes: 984665 ) + + -- Peter Michael Green Tue, 09 Mar 2021 15:46:51 +0000 + rust-smallvec (1.4.2-1) unstable; urgency=medium * Team upload. diff --git a/src/smallvec/debian/copyright b/src/smallvec/debian/copyright index fc577e9..899837e 100644 --- a/src/smallvec/debian/copyright +++ b/src/smallvec/debian/copyright @@ -11,7 +11,7 @@ Files: debian/* Copyright: - 2018-2019 Debian Rust Maintainers + 2018-2021 Debian Rust Maintainers 2018 kpcyrd 2018-2019 Wolfgang Silbermayr License: MIT or Apache-2.0 diff --git a/src/smallvec/debian/copyright.debcargo.hint b/src/smallvec/debian/copyright.debcargo.hint index ac593df..a03c680 100644 --- a/src/smallvec/debian/copyright.debcargo.hint +++ b/src/smallvec/debian/copyright.debcargo.hint @@ -21,9 +21,9 @@ Files: debian/* Copyright: - 2018-2020 Debian Rust Maintainers - 2018-2020 kpcyrd - 2018-2020 Wolfgang Silbermayr + 2018-2021 Debian Rust Maintainers + 2018-2021 kpcyrd + 2018-2021 Wolfgang Silbermayr License: MIT or Apache-2.0 License: Apache-2.0 diff --git a/src/smallvec/debian/patches/fix-insert-many-buffer-overflow.patch b/src/smallvec/debian/patches/fix-insert-many-buffer-overflow.patch new file mode 100644 index 0000000..70be24a --- /dev/null +++ b/src/smallvec/debian/patches/fix-insert-many-buffer-overflow.patch @@ -0,0 +1,128 @@ +Debian patch for bug 984665 + +The patches to lib.rs and tests.rs are identical to the upstream +commit described below. The changes to Cargo.toml (which were +just a change of the package version number) have been excluded. + +commit 9998ba0694a6b51aa6604748b00b6a98f0a0039e +Author: Matt Brubeck +Date: Thu Jan 7 21:28:46 2021 -0800 + + Fix potential buffer overflow in `insert_many` + + Fixes #252. + +diff --git a/src/lib.rs b/src/lib.rs +index 0241aefa..5e9de828 100644 +--- a/src/lib.rs ++++ b/src/lib.rs +@@ -1009,7 +1009,7 @@ impl SmallVec { + /// Insert multiple elements at position `index`, shifting all following elements toward the + /// back. + pub fn insert_many>(&mut self, index: usize, iterable: I) { +- let iter = iterable.into_iter(); ++ let mut iter = iterable.into_iter(); + if index == self.len() { + return self.extend(iter); + } +@@ -1017,13 +1017,16 @@ impl SmallVec { + let (lower_size_bound, _) = iter.size_hint(); + assert!(lower_size_bound <= core::isize::MAX as usize); // Ensure offset is indexable + assert!(index + lower_size_bound >= index); // Protect against overflow +- self.reserve(lower_size_bound); ++ ++ let mut num_added = 0; ++ let old_len = self.len(); ++ assert!(index <= old_len); + + unsafe { +- let old_len = self.len(); +- assert!(index <= old_len); ++ // Reserve space for `lower_size_bound` elements. ++ self.reserve(lower_size_bound); + let start = self.as_mut_ptr(); +- let mut ptr = start.add(index); ++ let ptr = start.add(index); + + // Move the trailing elements. + ptr::copy(ptr, ptr.add(lower_size_bound), old_len - index); +@@ -1036,42 +1039,39 @@ impl SmallVec { + len: old_len + lower_size_bound, + }; + +- let mut num_added = 0; +- for element in iter { +- let mut cur = ptr.add(num_added); +- if num_added >= lower_size_bound { +- // Iterator provided more elements than the hint. Move trailing items again. +- self.reserve(1); +- let start = self.as_mut_ptr(); +- ptr = start.add(index); +- cur = ptr.add(num_added); +- ptr::copy(cur, cur.add(1), old_len - index); +- +- guard.start = start; +- guard.len += 1; +- guard.skip.end += 1; +- } ++ while num_added < lower_size_bound { ++ let element = match iter.next() { ++ Some(x) => x, ++ None => break, ++ }; ++ let cur = ptr.add(num_added); + ptr::write(cur, element); + guard.skip.start += 1; + num_added += 1; + } +- mem::forget(guard); + + if num_added < lower_size_bound { +- // Iterator provided fewer elements than the hint ++ // Iterator provided fewer elements than the hint. Move the tail backward. + ptr::copy( + ptr.add(lower_size_bound), + ptr.add(num_added), + old_len - index, + ); + } +- ++ // There are no more duplicate or uninitialized slots, so the guard is not needed. + self.set_len(old_len + num_added); ++ mem::forget(guard); ++ } ++ ++ // Insert any remaining elements one-by-one. ++ for element in iter { ++ self.insert(index + num_added, element); ++ num_added += 1; + } + + struct DropOnPanic { + start: *mut T, +- skip: Range, ++ skip: Range, // Space we copied-out-of, but haven't written-to yet. + len: usize, + } + +diff --git a/src/tests.rs b/src/tests.rs +index 0452ae85..19f6da85 100644 +--- a/src/tests.rs ++++ b/src/tests.rs +@@ -905,3 +905,16 @@ fn empty_macro() { + fn zero_size_items() { + SmallVec::<[(); 0]>::new().push(()); + } ++ ++#[test] ++fn test_insert_many_overflow() { ++ let mut v: SmallVec<[u8; 1]> = SmallVec::new(); ++ v.push(123); ++ ++ // Prepare an iterator with small lower bound ++ let iter = (0u8..5).filter(|n| n % 2 == 0); ++ assert_eq!(iter.size_hint().0, 0); ++ ++ v.insert_many(0, iter); ++ assert_eq!(&*v, &[0, 2, 4, 123]); ++} diff --git a/src/smallvec/debian/patches/series b/src/smallvec/debian/patches/series new file mode 100644 index 0000000..71c401a --- /dev/null +++ b/src/smallvec/debian/patches/series @@ -0,0 +1 @@ +fix-insert-many-buffer-overflow.patch