Add advisory for bytes-str: BytesString::split_off can break UTF-8 invariant#2919
Closed
yilin0518 wants to merge 1 commit into
Closed
Add advisory for bytes-str: BytesString::split_off can break UTF-8 invariant#2919yilin0518 wants to merge 1 commit into
yilin0518 wants to merge 1 commit into
Conversation
Member
|
Pinged the maintainer on the upstream issue, let's see what they see -- feel free to ping me again in 4 weeks if there's been no response. |
Member
|
@kdy1 so do you think this warrants an advisory being published? |
|
I'm not sure, but I think either way is fine |
djc
reviewed
Jun 4, 2026
| keywords = ["soundness", "utf-8", "char-boundary", "invalid-str"] | ||
|
|
||
| [versions] | ||
| patched = [] |
Member
There was a problem hiding this comment.
A patched version has been released.
|
|
||
| No patched version is currently available. The issue affects the reported version `0.2.7`. | ||
|
|
||
| In addition, the crate appears to be unmaintained. The maintainer has been contacted via this public issue and has not responded for over three months, and the repository shows no visible maintenance activity for roughly eleven months. |
Member
There was a problem hiding this comment.
Seems to be somewhat maintained, so let's drop this section?
|
|
||
| `BytesString::split_off` does not validate UTF-8 character boundaries, but `BytesString::as_str` uses `from_utf8_unchecked` and assumes the internal buffer remains valid UTF-8. Safe code can construct a valid `BytesString`, split at a non-character boundary, then obtain an invalid `&str` through `as_str`, leading to undefined behavior when the string is iterated. The upstream issue suggests adding character-boundary checks (or panicking) in `split_off` and similar index-based operations. | ||
|
|
||
| No patched version is currently available. The issue affects the reported version `0.2.7`. |
| } | ||
| ``` | ||
|
|
||
| ## Miri output |
Member
There was a problem hiding this comment.
No need to have this in the advisory.
Contributor
Author
|
I get response from the develooper, thank you for your feedback! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Affected crate(s)
Links to upstream issue(s) or PR(s)
Severity
Soundness issue in safe code leading to undefined behavior (invalid &str constructed via split_off() + as_str()), with potential for memory corruption.
Checklist
RUSTSEC-0000-0000as the IDdatefield is set to the public disclosure date