Audit gif

Question

Audit gif

Shnatsel opened this issue 5 years ago · comments

Sergey "Shnatsel" Davidoff commented 5 years ago

Pure-Rust GIF decoder, used in image and everything that relies on it. 2000 downloads/day. High risk due to parsing untrusted data in a binary format.

Sergey "Shnatsel" Davidoff · Answer 1 · Sun Sep 01 2019 04:25:02 GMT+0800 (China Standard Time)

The C API is where most of the unsafety lies. It is currently highly experimental and can be ignored. However, it looks like the core library could be made 100% safe.

I've started purging unsafe code, but I will not be able to finish the job. Done so far:
image-rs/image-gif#61
image-rs/image-gif#63

Sergey "Shnatsel" Davidoff · Answer 2 · Sun Sep 01 2019 04:27:58 GMT+0800 (China Standard Time)

My work is merged, so there are only two unsafe blocks remaining outside the C API, both doing the same thing - transmuting the lifetime away:
https://github.com/image-rs/image-gif/blob/2dcbe4f82e296e3eed2d4a408e71557eefe46176/src/reader/decoder.rs#L217
https://github.com/image-rs/image-gif/blob/2dcbe4f82e296e3eed2d4a408e71557eefe46176/src/reader/mod.rs#L114

Sergey "Shnatsel" Davidoff · Answer 3 · Sun Sep 01 2019 06:48:58 GMT+0800 (China Standard Time)

The 2 remaining unsafe blocks actually pass Polonius checks, see https://github.com/danielhenrymantilla/image-gif/tree/polonius-fix

So I'm considering them audited and assume that 100% safety is blocked until Polonius.

Sergey "Shnatsel" Davidoff · Answer 4 · Sun Sep 01 2019 07:08:29 GMT+0800 (China Standard Time)

Tracking issue on rustc side: rust-lang/rust#51545