Skip to content

🔒 [security fix] Fix buffer length manipulation without initialization#426

Merged
404Setup merged 1 commit intomainfrom
security-fix-buffer-init-12893776821588517495
Apr 29, 2026
Merged

🔒 [security fix] Fix buffer length manipulation without initialization#426
404Setup merged 1 commit intomainfrom
security-fix-buffer-init-12893776821588517495

Conversation

@404Setup
Copy link
Copy Markdown
Owner

@404Setup 404Setup commented Apr 29, 2026

🎯 What: Fixed a security vulnerability involving the unsafe use of set_len on uninitialized Vec buffers in src/batch.rs, src/stream.rs, and src/compress/mod.rs.

⚠️ Risk: Using set_len to extend a vector before the data is actually written leaves uninitialized memory exposed. This can lead to Undefined Behavior (UB) or sensitive information leakage if the subsequent operation fails or writes fewer bytes than expected.

🛡️ Solution:

  • Replaced the "reserve + set_len + write" pattern with "clear + reserve + write into spare_capacity_mut + set_len".
  • Utilized spare_capacity_mut() to safely handle uninitialized memory slices as MaybeUninit<u8>.
  • Added assert!(size <= bound) before calling set_len to ensure that the actual bytes written do not exceed the allocated capacity.
  • Replaced dangerous manual set_len calls in dynamic programming logic with safe resize(..., 0) to guarantee zero-initialization.
  • Migrated BatchDecompressor to use decompress_uninit for direct writing into uninitialized buffers.

PR created automatically by Jules for task 12893776821588517495 started by @404Setup

@404Setup
🔒 Fix security vulnerability: buffer length manipulation without init…
a715f2a 
…ialization

Replaced unsafe `set_len` calls on uninitialized memory with idiomatic
safe patterns using `spare_capacity_mut` and deferred `set_len` after
successful initialization. Added safety assertions to prevent potential
buffer overflows.
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented Apr 29, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@404Setup 404Setup merged commit 04905e8 into main Apr 29, 2026
5 checks passed
@404Setup 404Setup deleted the security-fix-buffer-init-12893776821588517495 branch April 29, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@404Setup