Stream callback procedure is not unwind safe

Question

Stream callback procedure is not unwind safe

Phosphorus15 opened this issue 5 years ago · comments

It is observed that the stream_callback and stream_finished_callback functions are not unwind safe, as their definitions shown below.

let mut stream_data: Box<StreamUserData<I, O>> = unsafe { mem::transmute(user_data) };
...
let result = match stream_data.callback
    {
        Some(ref mut f) => (*f)(input_buffer, output_buffer, timeinfo, flags),
        None => StreamCallbackResult::Abort,
    };

    mem::forget(stream_data);

If the user-provided closure could possibly panic, the mem::forget of boxed StreamUserData would not be reachable, which causes its memory to be deallocated, thus resulting in an use after free.

Since the StreamUserData contains two function pointers which might be executed later-on, it is obvious that an arbitrary code execution can be constructed maliciously by this way. Therefore, this is highly-vulnerable and should be fixed.

Mathijs van de Nes · Answer 1 · Thu May 14 2020 20:18:56 GMT+0800 (China Standard Time)

Resolved in #21

Mathijs van de Nes · Answer 2 · Thu May 14 2020 20:19:23 GMT+0800 (China Standard Time)

Thank you for the report! 👍