Hello, thank you for your contribution in this project, I am scanning the unsoundness problem in rust project.
I notice the following code:
pub fn init_image(sgimage: sg_image, data: *const u8, size: usize) {
let mut width: i32 = 0;
let mut height: i32 = 0;
let mut channels: i32 = 0;
let image_data = unsafe {
// Converts from PNG format to RGBA8 format
stbi_load_from_memory(data as *const u8, size as core::ffi::c_int, &mut width, &mut height, &mut channels, 0)
};
let image_desc = sg::ImageDesc {
width,
height,
pixel_format: sg::PixelFormat::Rgba8,
data: sg::ImageData {
subimage: [[sg::Range { ptr: image_data as *const core::ffi::c_void, size: (width * height * 4) as usize }; 16]; 6],
..Default::default()
},
..Default::default()
};
sg::init_image(sg::Image { id: sgimage.id }, &image_desc);
unsafe { stbi_image_free(image_data as *mut core::ffi::c_void) };
}
Considering that pub mod render_2d, and init_image is also a pub function. I assume that users can directly call this function. This potential situation could result in stbi_load_from_memory(data as *const u8, size as core::ffi::c_int, &mut width, &mut height, &mut channels, 0) being operating on a null pointer, I guess it might trigger undefined behavior (UB). For safety reasons, I felt it necessary to report this issue. If you have performed checks elsewhere that ensure this is safe, please don’t take offense at my raising this issue.
I suggest Several possible fixes:
- If there is no external usage for
init_image, it should not marked as pub.
init_image method should add additional check for null pointer.- mark
init_image method as unsafe and proper doc to let users know that they should provide valid Pointers.
Hello, thank you for your contribution in this project, I am scanning the unsoundness problem in rust project.
I notice the following code:
Considering that
pub mod render_2d, andinit_imageis also a pub function. I assume that users can directly call this function. This potential situation could result instbi_load_from_memory(data as *const u8, size as core::ffi::c_int, &mut width, &mut height, &mut channels, 0)being operating on a null pointer, I guess it might trigger undefined behavior (UB). For safety reasons, I felt it necessary to report this issue. If you have performed checks elsewhere that ensure this is safe, please don’t take offense at my raising this issue.I suggest Several possible fixes:
init_image, it should not marked aspub.init_imagemethod should add additional check for null pointer.init_imagemethod as unsafe and proper doc to let users know that they should provide valid Pointers.