remove memrange

Question

remove memrange

m4b opened this issue 2 years ago · comments

We should remove memrange coming in via metagoblin, since it pulls in rustc-serialize which has a vulnerability apparently; I haven't look at good alternatives, but posting this issue here so don't forget. it should be a fairly easy task, I think i used it originally only for a few functions

m4b · Answer 1 · Mon Sep 12 2022 11:56:52 GMT+0800 (China Standard Time)

Digging at this a bit more, the only reason we use memrange is theban_interval_tree forces this type, so we could switch goblin to:

https://docs.rs/unbounded-interval-tree/latest/unbounded_interval_tree/interval_tree/struct.IntervalTree.html

These are the use sites of the interval trees metagoblin returns in Analysis:

src/format_meta.rs
33:        let mut franges = self.analysis.franges.iter().collect::<Vec<_>>();
34:        franges.sort_by(|&(ref r1, _), &(ref r2, _)| r2.len().cmp(&r1.len()));
41:        for (range, data) in &franges {
83:        let franges = analysis.franges.iter().collect::<Vec<_>>();
84:        for window in franges.windows(2) {

(memranges field in Analysis is not used)

I would have to do another survey to see if the methods on memrange are used in bingrep (like contains, etc.) but it's possible that we can just swap out interval tree with some minor edits.

m4b · Answer 2 · Mon Sep 12 2022 13:24:29 GMT+0800 (China Standard Time)

this is done as of metagoblin 0.7

m4b · Answer 3 · Mon Sep 12 2022 13:25:05 GMT+0800 (China Standard Time)

(we don't use any interval logic anyway, just collect all ranges as Vec<(Range, MetaData)> and let user do what they want with it anyway