Manishearth opened a new issue, #10253:
URL: https://github.com/apache/arrow-rs/issues/10253

   This is a minor technical unsoundness that is likely to never come up in 
real usage of this crate.
   
   
[`FFI_ArrowArrayStream`](https://docs.rs/arrow-array/latest/arrow_array/ffi_stream/struct.FFI_ArrowArrayStream.html)
 has public fields, including raw pointer fields. They can be set to whatever 
you want in safe Rust code.
   
   
[`ArrowArrayStreamReader::try_new()`](https://docs.rs/arrow-array/latest/arrow_array/ffi_stream/struct.ArrowArrayStreamReader.html#method.try_new)
 takes one of these, and [internally dereferences some of the 
pointers](https://docs.rs/arrow-array/latest/src/arrow_array/ffi_stream.rs.html#292-305).
   
   This means you can technically have UB if you fill an `FFI_ArrowArrayStream` 
with garbage and then pass it to `ArrowArrayStreamReader::try_new()`.
   
   In practice, nobody's going to do that; folks will be populating the FFI 
type over FFI (at which point it's no longer Rust's problem).
   
   But perhaps `ArrowArrayStreamReader::try_new()` should be `unsafe`, or 
`FFI_ArrowArrayStream` should have private fields.
   
   I don't think this is the only such type in the crate, but it's the first 
one that my agentic audit noticed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to