[PR #2031] [MERGED] Fix use-after-free bugs in Rust userdata handling #2835

New Issue

claunia · 2026-01-29T17:24:08Z

claunia commented

2026-01-29 17:24:08 +00:00

📋 Pull Request Information

Original PR: https://github.com/CCExtractor/ccextractor/pull/2031
Author: @THE-Amrit-mahto-05
Created: 1/18/2026
Status: ✅ Merged
Merged: 1/18/2026
Merged by: @cfsmp3

Base: master ← Head: fix/rust-userdata-uaf

📝 Commits (2)

e0ac126 Fix use-after-free bugs in Rust userdata handling
20b194a Consolidate Rust userdata fixes: UAF, bounds checks, and VBI safety

📊 Changes

1 file changed (+22 additions, -12 deletions)

View changed files

📝 src/rust/src/es/userdata.rs (+22 -12)

📄 Description

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I have never used CCExtractor.
I have used CCExtractor just a couple of times.
I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

Description

While reviewing userdata.rs, I found another instance of the same use-after-free pattern in the Unrecognized user data handling.

The current code creates a temporary Vec using .to_vec() and immediately extracts a raw pointer from it using .as_mut_ptr().
Because the temporary Vec is dropped right after .as_mut_ptr(), the pointer passed to dump() becomes dangling, resulting in use-after-free undefined behavior.

This is the same issue that was fixed earlier in this file.

Fix

Store the Vec in a local variable so its lifetime extends until after the dump() call:

let mut data_copy =
    ustream.data[ustream.pos..ustream.pos + dump_len].to_vec();
dump(data_copy.as_mut_ptr(), dump_len as _, 0, 0);

This guarantees the backing memory remains valid for the duration of the call.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/CCExtractor/ccextractor/pull/2031 **Author:** [@THE-Amrit-mahto-05](https://github.com/THE-Amrit-mahto-05) **Created:** 1/18/2026 **Status:** ✅ Merged **Merged:** 1/18/2026 **Merged by:** [@cfsmp3](https://github.com/cfsmp3) **Base:** `master` ← **Head:** `fix/rust-userdata-uaf` --- ### 📝 Commits (2) - [`e0ac126`](https://github.com/CCExtractor/ccextractor/commit/e0ac126cff42abcb043365eb8d73b03fbe0bcfa5) Fix use-after-free bugs in Rust userdata handling - [`20b194a`](https://github.com/CCExtractor/ccextractor/commit/20b194aac45156f752838c497fde4b23bd5789ba) Consolidate Rust userdata fixes: UAF, bounds checks, and VBI safety ### 📊 Changes **1 file changed** (+22 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `src/rust/src/es/userdata.rs` (+22 -12) </details> ### 📄 Description  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description While reviewing userdata.rs, I found another instance of the same use-after-free pattern in the Unrecognized user data handling. The current code creates a temporary Vec using .to_vec() and immediately extracts a raw pointer from it using .as_mut_ptr(). Because the temporary Vec is dropped right after .as_mut_ptr(), the pointer passed to dump() becomes dangling, resulting in use-after-free undefined behavior. This is the same issue that was fixed earlier in this file. ### Fix Store the Vec in a local variable so its lifetime extends until after the dump() call: ```rust let mut data_copy = ustream.data[ustream.pos..ustream.pos + dump_len].to_vec(); dump(data_copy.as_mut_ptr(), dump_len as _, 0, 0); ``` This guarantees the backing memory remains valid for the duration of the call. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia added the pull-request label 2026-01-29 17:24:08 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2835