Fix: do bounds checking in index and index_mut

phil-opp · phil-opp · commit 9f7b015a7dd9 · 2021-06-14T12:12:41.000+02:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -365,6 +365,10 @@ where
 /// Methods for volatile slices
 #[cfg(feature = "unstable")]
 impl<'a, T, R, W> VolatilePtr<'a, [T], Access<R, W>> {
+    pub fn len(&self) -> usize {
+        self.pointer.len()
+    }
+
     /// Applies the index operation on the wrapped slice.
     ///
     /// Returns a shared `Volatile` reference to the resulting subslice.
@@ -401,17 +405,27 @@ impl<'a, T, R, W> VolatilePtr<'a, [T], Access<R, W>> {
     /// let subslice = volatile.index(1..);
     /// assert_eq!(subslice.index(0).read(), 2);
     /// ```
-    pub fn index<I>(&self, index: I) -> VolatilePtr<I::Output, Access<R, access::NoAccess>>
+    pub fn index<I>(
+        &self,
+        index: I,
+    ) -> VolatilePtr<<I as SliceIndex<[T]>>::Output, Access<R, access::NoAccess>>
     where
-        I: SliceIndex<[T]>,
+        I: SliceIndex<[T]> + SliceIndex<[()]> + Clone,
     {
+        bounds_check(self.pointer.len(), index.clone());
+
         unsafe { self.map(|slice| slice.get_unchecked_mut(index)) }
     }
 
-    pub fn index_mut<I>(&mut self, index: I) -> VolatilePtr<I::Output, Access<R, W>>
+    pub fn index_mut<I>(
+        &mut self,
+        index: I,
+    ) -> VolatilePtr<<I as SliceIndex<[T]>>::Output, Access<R, W>>
     where
-        I: SliceIndex<[T]>,
+        I: SliceIndex<[T]> + SliceIndex<[()]> + Clone,
     {
+        bounds_check(self.pointer.len(), index.clone());
+
         unsafe { self.map_mut(|slice| slice.get_unchecked_mut(index)) }
     }
 
@@ -913,3 +927,11 @@ where
             .finish()
     }
 }
+
+#[cfg(feature = "unstable")]
+fn bounds_check(len: usize, index: impl SliceIndex<[()]>) {
+    const MAX_ARRAY: [(); usize::MAX] = [(); usize::MAX];
+
+    let bound_check_slice = &MAX_ARRAY[..len];
+    &bound_check_slice[index];
+}
diff --git a/src/tests.rs b/src/tests.rs
@@ -194,6 +194,50 @@ fn test_slice() {
     assert_eq!(dst, [2, 2, 3]);
 }
 
+#[cfg(feature = "unstable")]
+#[test]
+#[should_panic]
+fn test_bounds_check_1() {
+    let val: &mut [u32] = &mut [1, 2, 3];
+    let mut volatile = unsafe { VolatilePtr::new_read_write(NonNull::from(val)) };
+    volatile.index_mut(3);
+}
+
+#[cfg(feature = "unstable")]
+#[test]
+#[should_panic]
+fn test_bounds_check_2() {
+    let val: &mut [u32] = &mut [1, 2, 3];
+    let mut volatile = unsafe { VolatilePtr::new_read_write(NonNull::from(val)) };
+    volatile.index_mut(2..1);
+}
+
+#[cfg(feature = "unstable")]
+#[test]
+#[should_panic]
+fn test_bounds_check_3() {
+    let val: &mut [u32] = &mut [1, 2, 3];
+    let mut volatile = unsafe { VolatilePtr::new_read_write(NonNull::from(val)) };
+    volatile.index_mut(4..); // `3..` is is still ok (see next test)
+}
+
+#[cfg(feature = "unstable")]
+#[test]
+fn test_bounds_check_4() {
+    let val: &mut [u32] = &mut [1, 2, 3];
+    let mut volatile = unsafe { VolatilePtr::new_read_write(NonNull::from(val)) };
+    assert_eq!(volatile.index_mut(3..).len(), 0);
+}
+
+#[cfg(feature = "unstable")]
+#[test]
+#[should_panic]
+fn test_bounds_check_5() {
+    let val: &mut [u32] = &mut [1, 2, 3];
+    let mut volatile = unsafe { VolatilePtr::new_read_write(NonNull::from(val)) };
+    volatile.index_mut(..4);
+}
+
 #[cfg(feature = "unstable")]
 #[test]
 fn test_chunks() {
