🔒 Fix uninitialized memory exposure via set_len

404Setup · 404Setup · commit c8324e700167 · 2026-04-12T02:24:46.000Z
This commit addresses a security vulnerability where `Vec::set_len` was used to "initialize" buffers before data was actually written to them. This pattern can expose uninitialized memory if a panic occurs during the subsequent write operations, as safe code (like `Drop` implementations) could observe the uninitialized data.

The fix involves:
- Using `Vec::spare_capacity_mut()` to obtain a slice of `MaybeUninit&lt;u8&gt;` for compression/decompression operations.
- Deferring the `Vec::set_len()` call until after the operation has successfully completed.
- Ensuring buffers are `clear()`ed before use to maintain consistent state.
- Replacing unsafe `set_len` with safe `resize(..., 0)` for internal buffers that require initialization.

Affected areas:
- `src/stream.rs`: `DeflateEncoder::flush_buffer`
- `src/compress/mod.rs`: Parallel compression for large inputs and `dp_path` buffer.
- `src/batch.rs`: `BatchDecompressor::decompress_batch`
diff --git a/src/batch.rs b/src/batch.rs
@@ -63,15 +63,18 @@ impl BatchDecompressor {
             .map_init(
                 || (Decompressor::new(), Vec::new()),
                 |(decompressor, buffer), (&input, &max_size)| {
+                    buffer.clear();
                     if buffer.capacity() < max_size {
-                        buffer.reserve(max_size.saturating_sub(buffer.len()));
-                    }
-                    unsafe {
-                        buffer.set_len(max_size);
+                        buffer.reserve(max_size);
                     }
+                    let buf_uninit = &mut buffer.spare_capacity_mut()[..max_size];
 
-                    let (res, _, size) = decompressor.decompress(input, buffer);
+                    let (res, _, size) = unsafe { decompressor.decompress_uninit(input, buf_uninit) };
+                    buffer.clear();
                     if res == DecompressResult::Success {
+                        unsafe {
+                            buffer.set_len(size);
+                        }
                         Some(buffer[..size].to_vec())
                     } else {
                         None
diff --git a/src/compress/mod.rs b/src/compress/mod.rs
@@ -683,28 +683,28 @@ impl Compressor {
                         let mode = if is_last { flush_mode } else { FlushMode::Sync };
 
                         let bound = Self::deflate_compress_bound(chunk.len());
+                        buf.clear();
                         if buf.capacity() < bound {
-                            buf.reserve(bound - buf.len());
-                        }
-                        unsafe {
-                            buf.set_len(bound);
+                            buf.reserve(bound);
                         }
 
-                        let buf_uninit = slice_as_uninit_mut(buf);
+                        let buf_uninit = &mut buf.spare_capacity_mut()[..bound];
 
                         let (res, size, _) = compressor.compress(chunk, buf_uninit, mode);
                         if res == CompressResult::Success {
                             unsafe {
                                 buf.set_len(size);
                             }
-                            if size < buf.capacity() / 2 {
+                            let result = if size < buf.capacity() / 2 {
                                 Ok(buf.to_vec())
                             } else {
                                 Ok(std::mem::replace(
                                     buf,
                                     Vec::with_capacity(chunk_size + chunk_size / 2),
                                 ))
-                            }
+                            };
+                            buf.clear();
+                            result
                         } else {
                             Err(io::Error::other("Compression failed"))
                         }
@@ -920,12 +920,7 @@ impl Compressor {
         self.dp_costs[0] = 0;
 
         self.dp_path.clear();
-        if self.dp_path.capacity() < processed + 1 {
-            self.dp_path.reserve(processed + 1 - self.dp_path.len());
-        }
-        unsafe {
-            self.dp_path.set_len(processed + 1);
-        }
+        self.dp_path.resize(processed + 1, 0);
 
         mf.reset();
         let mut pos = 0;
@@ -1717,12 +1712,7 @@ impl Compressor {
         self.dp_costs[0] = 0;
 
         self.dp_path.clear();
-        if self.dp_path.capacity() < processed + 1 {
-            self.dp_path.reserve(processed + 1 - self.dp_path.len());
-        }
-        unsafe {
-            self.dp_path.set_len(processed + 1);
-        }
+        self.dp_path.resize(processed + 1, 0);
 
         mf.reset();
         let mut pos = 0;
diff --git a/src/stream.rs b/src/stream.rs
@@ -65,23 +65,24 @@ impl<W: Write + Send> DeflateEncoder<W> {
                 if !final_block {
                     bound += 5;
                 }
-                if output.len() < bound {
-                    output
-                        .try_reserve(bound - output.len())
-                        .map_err(io::Error::other)?;
-                    unsafe {
-                        output.set_len(bound);
-                    }
-                }
+
+                output.clear();
+                output
+                    .try_reserve(bound)
+                    .map_err(io::Error::other)?;
 
                 let mode = if final_block {
                     crate::compress::FlushMode::Finish
                 } else {
                     crate::compress::FlushMode::Sync
                 };
-                let out_uninit = crate::common::slice_as_uninit_mut(output);
+                let out_uninit = &mut output.spare_capacity_mut()[..bound];
                 let (res, size, _) = compressor.compress(chunk, out_uninit, mode);
+                output.clear();
                 if res == CompressResult::Success {
+                    unsafe {
+                        output.set_len(size);
+                    }
                     if let Some(writer) = &mut self.writer {
                         writer.write_all(&output[..size])?;
                     }
@@ -99,23 +100,24 @@ impl<W: Write + Send> DeflateEncoder<W> {
                         if !(final_block && i == num_chunks - 1) {
                             bound += 5;
                         }
-                        if output.len() < bound {
-                            output
-                                .try_reserve(bound - output.len())
-                                .map_err(io::Error::other)?;
-                            unsafe {
-                                output.set_len(bound);
-                            }
-                        }
+
+                        output.clear();
+                        output
+                            .try_reserve(bound)
+                            .map_err(io::Error::other)?;
 
                         let mode = if final_block && i == num_chunks - 1 {
                             crate::compress::FlushMode::Finish
                         } else {
                             crate::compress::FlushMode::Sync
                         };
-                        let out_uninit = crate::common::slice_as_uninit_mut(output);
+                        let out_uninit = &mut output.spare_capacity_mut()[..bound];
                         let (res, size, _) = compressor.compress(chunk, out_uninit, mode);
+                        output.clear();
                         if res == CompressResult::Success {
+                            unsafe {
+                                output.set_len(size);
+                            }
                             Ok(size)
                         } else {
                             Err(io::Error::other("Compression failed"))
@@ -144,23 +146,24 @@ impl<W: Write + Send> DeflateEncoder<W> {
             if !final_block {
                 bound += 5;
             }
-            if output.len() < bound {
-                output
-                    .try_reserve(bound - output.len())
-                    .map_err(io::Error::other)?;
-                unsafe {
-                    output.set_len(bound);
-                }
-            }
+
+            output.clear();
+            output
+                .try_reserve(bound)
+                .map_err(io::Error::other)?;
 
             let mode = if final_block {
                 crate::compress::FlushMode::Finish
             } else {
                 crate::compress::FlushMode::Sync
             };
-            let out_uninit = crate::common::slice_as_uninit_mut(output);
+            let out_uninit = &mut output.spare_capacity_mut()[..bound];
             let (res, size, _) = compressor.compress(&self.buffer, out_uninit, mode);
+            output.clear();
             if res == CompressResult::Success {
+                unsafe {
+                    output.set_len(size);
+                }
                 if let Some(writer) = &mut self.writer {
                     writer.write_all(&output[..size])?;
                 }
