Rollup merge of rust-lang#123806 - joboet:advanced_overflow, r=Amanieu

matthiaskrgr · web-flow · commit e4cc7157b87d · 2024-04-11T22:38:56.000+02:00
Panic on overflow in `BorrowedCursor::advance`

Passing `usize::MAX` to `advance` clearly isn't correct, but the current assertion fails to detect this when overflow checks are disabled. This isn't unsound, but should probably be fixed regardless.
diff --git a/core/src/io/borrowed_buf.rs b/core/src/io/borrowed_buf.rs
@@ -249,9 +249,10 @@ impl<'a> BorrowedCursor<'a> {
     /// Panics if there are less than `n` bytes initialized.
     #[inline]
     pub fn advance(&mut self, n: usize) -> &mut Self {
-        assert!(self.buf.init >= self.buf.filled + n);
+        let filled = self.buf.filled.strict_add(n);
+        assert!(filled <= self.buf.init);
 
-        self.buf.filled += n;
+        self.buf.filled = filled;
         self
     }
 
diff --git a/std/src/io/tests.rs b/std/src/io/tests.rs
@@ -209,6 +209,15 @@ fn read_buf_exact() {
     assert_eq!(c.read_buf_exact(buf.unfilled()).unwrap_err().kind(), io::ErrorKind::UnexpectedEof);
 }
 
+#[test]
+#[should_panic]
+fn borrowed_cursor_advance_overflow() {
+    let mut buf = [0; 512];
+    let mut buf = BorrowedBuf::from(&mut buf[..]);
+    buf.unfilled().advance(1);
+    buf.unfilled().advance(usize::MAX);
+}
+
 #[test]
 fn take_eof() {
     struct R;
