Skip to content

Add advisory for bytes-str: BytesString::split_off can break UTF-8 invariant#2919

Closed
yilin0518 wants to merge 1 commit into
rustsec:mainfrom
yilin0518:bytes-str
Closed

Add advisory for bytes-str: BytesString::split_off can break UTF-8 invariant#2919
yilin0518 wants to merge 1 commit into
rustsec:mainfrom
yilin0518:bytes-str

Conversation

@yilin0518

@yilin0518 yilin0518 commented May 28, 2026

Copy link
Copy Markdown
Contributor

Affected crate(s)

  • bytes-str (3,327,893 recent downloads on crates.io)

Links to upstream issue(s) or PR(s)

Severity

Soundness issue in safe code leading to undefined behavior (invalid &str constructed via split_off() + as_str()), with potential for memory corruption.

Checklist

  • Advisory filename(s) starts with RUSTSEC-0000-0000 as the ID
  • date field is set to the public disclosure date
  • Contains a concise and descriptive title after advisory metadata
  • Asked maintainer(s) if publishing an advisory is appropriate

@djc

djc commented Jun 1, 2026

Copy link
Copy Markdown
Member

Pinged the maintainer on the upstream issue, let's see what they see -- feel free to ping me again in 4 weeks if there's been no response.

@djc

djc commented Jun 1, 2026

Copy link
Copy Markdown
Member

@kdy1 so do you think this warrants an advisory being published?

@kdy1

kdy1 commented Jun 4, 2026

Copy link
Copy Markdown

I'm not sure, but I think either way is fine

keywords = ["soundness", "utf-8", "char-boundary", "invalid-str"]

[versions]
patched = []

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A patched version has been released.


No patched version is currently available. The issue affects the reported version `0.2.7`.

In addition, the crate appears to be unmaintained. The maintainer has been contacted via this public issue and has not responded for over three months, and the repository shows no visible maintenance activity for roughly eleven months.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to be somewhat maintained, so let's drop this section?


`BytesString::split_off` does not validate UTF-8 character boundaries, but `BytesString::as_str` uses `from_utf8_unchecked` and assumes the internal buffer remains valid UTF-8. Safe code can construct a valid `BytesString`, split at a non-character boundary, then obtain an invalid `&str` through `as_str`, leading to undefined behavior when the string is iterated. The upstream issue suggests adding character-boundary checks (or panicking) in `split_off` and similar index-based operations.

No patched version is currently available. The issue affects the reported version `0.2.7`.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So drop this paragraph?

}
```

## Miri output

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to have this in the advisory.

@yilin0518 yilin0518 closed this Jun 8, 2026
@yilin0518

Copy link
Copy Markdown
Contributor Author

I get response from the develooper, thank you for your feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants