[PR #2031] Fix use-after-free bugs in Rust userdata handling #2837

New Issue

claunia · 2026-01-29T17:24:08Z

claunia commented

2026-01-29 17:24:08 +00:00

Original Pull Request: https://github.com/CCExtractor/ccextractor/pull/2031

State: closed
Merged: Yes

In raising this pull request, I confirm the following (please check boxes):

I have read and understood the contributors guide.
I have checked that another pull request for this purpose does not exist.
I have considered, and confirmed that this submission will be valuable to others.
I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
I give this submission freely, and claim no ownership to its content.
I have mentioned this change in the changelog.

My familiarity with the project is as follows (check one):

I have never used CCExtractor.
I have used CCExtractor just a couple of times.
I absolutely love CCExtractor, but have not contributed previously.
I am an active contributor to CCExtractor.

Description

While reviewing userdata.rs, I found another instance of the same use-after-free pattern in the Unrecognized user data handling.

The current code creates a temporary Vec using .to_vec() and immediately extracts a raw pointer from it using .as_mut_ptr().
Because the temporary Vec is dropped right after .as_mut_ptr(), the pointer passed to dump() becomes dangling, resulting in use-after-free undefined behavior.

This is the same issue that was fixed earlier in this file.

Fix

Store the Vec in a local variable so its lifetime extends until after the dump() call:

let mut data_copy =
    ustream.data[ustream.pos..ustream.pos + dump_len].to_vec();
dump(data_copy.as_mut_ptr(), dump_len as _, 0, 0);

This guarantees the backing memory remains valid for the duration of the call.

**Original Pull Request:** https://github.com/CCExtractor/ccextractor/pull/2031 **State:** closed **Merged:** Yes ---  **In raising this pull request, I confirm the following (please check boxes):** - [x] I have read and understood the [contributors guide](https://github.com/CCExtractor/ccextractor/blob/master/.github/CONTRIBUTING.md). - [x] I have checked that another pull request for this purpose does not exist. - [x] I have considered, and confirmed that this submission will be valuable to others. - [x] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [x] I give this submission freely, and claim no ownership to its content. - [x] **I have mentioned this change in the [changelog](https://github.com/CCExtractor/ccextractor/blob/master/docs/CHANGES.TXT).** **My familiarity with the project is as follows (check one):** - [ ] I have never used CCExtractor. - [ ] I have used CCExtractor just a couple of times. - [ ] I absolutely love CCExtractor, but have not contributed previously. - [x] I am an active contributor to CCExtractor. --- ### Description While reviewing userdata.rs, I found another instance of the same use-after-free pattern in the Unrecognized user data handling. The current code creates a temporary Vec using .to_vec() and immediately extracts a raw pointer from it using .as_mut_ptr(). Because the temporary Vec is dropped right after .as_mut_ptr(), the pointer passed to dump() becomes dangling, resulting in use-after-free undefined behavior. This is the same issue that was fixed earlier in this file. ### Fix Store the Vec in a local variable so its lifetime extends until after the dump() call: ```rust let mut data_copy = ustream.data[ustream.pos..ustream.pos + dump_len].to_vec(); dump(data_copy.as_mut_ptr(), dump_len as _, 0, 0); ``` This guarantees the backing memory remains valid for the duration of the call.

claunia added the pull-request label 2026-01-29 17:24:08 +00:00

claunia closed this issue

2026-01-29 17:24:08 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#2837