Fix buffer overread in format_escaped_str, again

Commit 528220f restored the buffer overread that I removed in commit 29884e6 (ijl#455). A buffer overread that doesn’t cross a page boundary is still undefined behavior, even if it doesn’t happen to cause an immediate segfault, and all undefined behavior must be avoided. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
andersk · Feb 14, 2024 · 6d84e93 · 6d84e93
1 parent ba8c701
commit 6d84e93
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 55 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -56,7 +56,6 @@ encoding_rs = { version = "0.8", default_features = false }
 itoa = { version = "1", default_features = false }
 itoap = { version = "1", features = ["std", "simd"] }
 once_cell = { version = "1", default_features = false, features = ["race"] }
-page_size = { version = "0.6" }
 pyo3-ffi = { version = "^0.20.2", default_features = false, features = ["extension-module"]}
 ryu = { version = "1", default_features = false }
 serde = { version = "1", default_features = false }

diff --git a/src/serialize/writer/simd.rs b/src/serialize/writer/simd.rs
@@ -2,7 +2,6 @@
 // Copyright 2023-2024 liuq19, ijl
 // adapted from sonic-rs' src/util/string.rs
 
-use crate::typeref::PAGE_SIZE;
 use core::simd::cmp::{SimdPartialEq, SimdPartialOrd};
 
 macro_rules! impl_escape_unchecked {
@@ -64,13 +63,8 @@ macro_rules! impl_format_simd {
                 }
             }
 
-            let mut v = if unlikely!(is_cross_page!(sptr)) {
-                let mut v = StrVector::default();
-                v.as_mut_array()[..nb].copy_from_slice(core::slice::from_raw_parts(sptr, nb));
-                v
-            } else {
-                StrVector::from_slice(core::slice::from_raw_parts(sptr, STRIDE))
-            };
+            let mut v = StrVector::default();
+            v.as_mut_array()[..nb].copy_from_slice(core::slice::from_raw_parts(sptr, nb));
             while nb > 0 {
                 v.copy_to_slice(core::slice::from_raw_parts_mut(dptr, STRIDE));
                 let mut mask = (v.simd_eq(blash) | v.simd_eq(quote) | v.simd_lt(x20)).to_bitmask()
@@ -100,12 +94,6 @@ macro_rules! impl_format_simd {
     };
 }
 
-macro_rules! is_cross_page {
-    ($src:expr) => {
-        unsafe { (($src as usize & (PAGE_SIZE - 1)) + STRIDE) > PAGE_SIZE }
-    };
-}
-
 #[cold]
 #[inline(never)]
 fn write_unusual_escape(sptr: *const u8, dptr: *mut u8) -> *mut u8 {

diff --git a/src/typeref.rs b/src/typeref.rs
@@ -75,9 +75,6 @@ pub static mut DESCR_STR: *mut PyObject = null_mut();
 pub static mut VALUE_STR: *mut PyObject = null_mut();
 pub static mut INT_ATTR_STR: *mut PyObject = null_mut();
 
-#[cfg(feature = "unstable-simd")]
-pub static mut PAGE_SIZE: usize = 0;
-
 #[cfg(feature = "yyjson")]
 pub const YYJSON_BUFFER_SIZE: usize = 1024 * 1024 * 8;
 
@@ -139,10 +136,6 @@ fn _init_typerefs_impl() -> bool {
     unsafe {
         debug_assert!(crate::opt::MAX_OPT < u16::MAX as i32);
 
-        #[cfg(feature = "unstable-simd")]
-        {
-            PAGE_SIZE = page_size::get();
-        }
         assert!(crate::deserialize::KEY_MAP
             .set(crate::deserialize::KeyMap::default())
             .is_ok());