Audit gif
Shnatsel opened this issue · comments
Pure-Rust GIF decoder, used in image
and everything that relies on it. 2000 downloads/day. High risk due to parsing untrusted data in a binary format.
The C API is where most of the unsafety lies. It is currently highly experimental and can be ignored. However, it looks like the core library could be made 100% safe.
I've started purging unsafe code, but I will not be able to finish the job. Done so far:
image-rs/image-gif#61
image-rs/image-gif#63
My work is merged, so there are only two unsafe blocks remaining outside the C API, both doing the same thing - transmuting the lifetime away:
https://github.com/image-rs/image-gif/blob/2dcbe4f82e296e3eed2d4a408e71557eefe46176/src/reader/decoder.rs#L217
https://github.com/image-rs/image-gif/blob/2dcbe4f82e296e3eed2d4a408e71557eefe46176/src/reader/mod.rs#L114
The 2 remaining unsafe blocks actually pass Polonius checks, see https://github.com/danielhenrymantilla/image-gif/tree/polonius-fix
So I'm considering them audited and assume that 100% safety is blocked until Polonius.
Tracking issue on rustc side: rust-lang/rust#51545