From 2c55c1fbd5c204d2b3dc798280272734eca26e04 Mon Sep 17 00:00:00 2001 From: "Sean T. Allen" Date: Sun, 4 Feb 2024 18:34:28 +0000 Subject: [PATCH] Fix memory corruption that can arise from Array.copy_to This is based heavily on stefandd's work from https://github.com/ponylang/ponyc/pull/4173 Closes #4174 --- .release-notes/4174.md | 23 +++++++++ packages/builtin/array.pony | 15 ++++-- packages/builtin_test/_test.pony | 82 ++++++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+), 5 deletions(-) create mode 100644 .release-notes/4174.md diff --git a/.release-notes/4174.md b/.release-notes/4174.md new file mode 100644 index 0000000000..82d6980f0d --- /dev/null +++ b/.release-notes/4174.md @@ -0,0 +1,23 @@ +## Fix for potential memory corruption in Array.copy_to() + +`Array.copy_to()` did not check whether the source or destination Arrays had been initialized or whether the requested number of elements to be copied exceeded the number of available elements (allocated memory). These issues would result in potential dereferencing of a null pointer or attempts to access unallocated memory. + +Before this fix, the following code would print `11` then `0`: + +```pony +actor Main + new create(e: Env) => + var src: Array[U8] = [1] + var dest: Array[U8] = [11; 1; 2; 3; 4; 5; 6] + + try + e.out.print(dest(0)?.string()) + end + src.copy_to(dest, 11, 0, 10) + + try + e.out.print(dest(0)?.string()) + end +``` + +After the fix, this code correctly prints `11` and `11`. diff --git a/packages/builtin/array.pony b/packages/builtin/array.pony index 0405e3210d..c1ebcf3ab8 100644 --- a/packages/builtin/array.pony +++ b/packages/builtin/array.pony @@ -552,11 +552,16 @@ class Array[A] is Seq[A] """ Copy len elements from this(src_idx) to dst(dst_idx). """ - dst.reserve(dst_idx + len) - _ptr._offset(src_idx)._copy_to(dst._ptr._offset(dst_idx), len) - - if dst._size < (dst_idx + len) then - dst._size = dst_idx + len + if (src_idx < _size) and (dst_idx <= dst._size) then + let count = len.min(_size - src_idx) + if count > 0 then + dst.reserve(dst_idx + count) + _ptr._offset(src_idx)._copy_to(dst._ptr._offset(dst_idx), count) + + if dst._size < (dst_idx + count) then + dst._size = dst_idx + count + end + end end fun ref remove(i: USize, n: USize) => diff --git a/packages/builtin_test/_test.pony b/packages/builtin_test/_test.pony index 2d603c80c9..9879b44f25 100644 --- a/packages/builtin_test/_test.pony +++ b/packages/builtin_test/_test.pony @@ -30,6 +30,7 @@ actor \nodoc\ Main is TestList test(_TestArrayConcat) test(_TestArrayFind) test(_TestArrayFromCPointer) + test(_TestArrayCopyTo) test(_TestArrayInsert) test(_TestArraySlice) test(_TestArraySwapElements) @@ -1764,6 +1765,87 @@ class \nodoc\ iso _TestArrayFromCPointer is UnitTest let arr = Array[U8].from_cpointer(Pointer[U8], 1, 1) h.assert_eq[USize](0, arr.size()) +class \nodoc\ iso _TestArrayCopyTo is UnitTest + fun name(): String => + "builtin/Array.copy_to" + + fun apply(h: TestHelper) => + // Test that a using an uninitialized array as a source leaves the destination unchanged + let src1: Array[U8] = [] + let dest1: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + src1.copy_to(dest1, 0, 0, 10) + h.assert_array_eq[U8]([0; 1; 2; 3; 4; 5; 6], dest1) + + // Test that copying from an empty source array leaves + // the destination unchanged + let src2: Array[U8] = [1] + let dest2: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + try src2.pop()? end + src2.copy_to(dest2, 0, 0, 10) + h.assert_eq[USize](0, src2.size()) + h.assert_array_eq[U8]([0; 1; 2; 3; 4; 5; 6], dest2) + + // try to copy 10 elements; some non-existant + let src3: Array[U8] = [1] + let dest3: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + src3.copy_to(dest3, 0, 0, 10) + h.assert_array_eq[U8]([1; 1; 2; 3; 4; 5; 6], dest3) + + // try to copy from too high start index + let src4: Array[U8] = [1] + let dest4: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + src4.copy_to(dest4, 11, 0, 1) + h.assert_array_eq[U8]([0; 1; 2; 3; 4; 5; 6], dest4) + + // copies the sole available element + let src5: Array[U8] = [1] + let dest5: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + src5.copy_to(dest5, 0, 0, 10) + h.assert_array_eq[U8]([1; 1; 2; 3; 4; 5; 6], dest5) + + // copy larger than destination chunk into the middle of destination + let src6: Array[U8] = [0; 1; 2; 3; 4; 5; 6] + let dest6: Array[U8] = [7; 8; 9] + src6.copy_to(dest6, 0, 1, 7) + h.assert_array_eq[U8]([7; 0; 1; 2; 3; 4; 5; 6], dest6) + + // copy into the front of destination so copied amount fits within + // existing destination + let src7: Array[U8] = [0; 1] + let dest7: Array[U8] = [4; 5; 6] + src7.copy_to(dest7, 0, 0, 2) + h.assert_array_eq[U8]([0; 1; 6], dest7) + + // copy into the middle of a destination + let src8: Array[U8] = [0] + let dest8: Array[U8] = [4; 5; 6] + src8.copy_to(dest8, 0, 1, 1) + h.assert_array_eq[U8]([4; 0; 6], dest8) + + // copy onto the end of the destination + let src9: Array[U8] = [0] + let dest9: Array[U8] = [4; 5; 6] + src9.copy_to(dest9, 0, 2, 1) + h.assert_array_eq[U8]([4; 5; 0], dest9) + + // destination is empty + let src10: Array[U8] = [0; 1; 2; 3] + let dest10: Array[U8] = [] + src10.copy_to(dest10, 0, 0, 4) + h.assert_array_eq[U8]([0; 1; 2; 3], dest10) + + // copy right after the end of the destination + let src11: Array[U8] = [0] + let dest11: Array[U8] = [4; 5; 6] + src11.copy_to(dest11, 0, 3, 1) + h.assert_array_eq[U8]([4; 5; 6; 0], dest11) + + // destination index is "someone else's memory" + let src12: Array[U8] = [0] + let dest12: Array[U8] = [4; 5; 6] + src12.copy_to(dest12, 0, 100, 1) + h.assert_array_eq[U8]([4; 5; 6], dest12) + class \nodoc\ iso _TestMath128 is UnitTest """ Test 128 bit integer math.