From f693e038d9ad3042c0a68bb3ef609117b1d7a86a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <buehler@cert.uni-stuttgart.de>
Date: Fri, 2 Sep 2016 17:28:47 +0200
Subject: [PATCH] Fix buffer overflow in Sink for Vec<u8>

Fixes #46
---
 src/buf/mod.rs   |  5 +++--
 test/test_buf.rs | 13 +++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/buf/mod.rs b/src/buf/mod.rs
index 587de2c..b5cd568 100644
--- a/src/buf/mod.rs
+++ b/src/buf/mod.rs
@@ -407,12 +407,13 @@ impl<'a> Sink for &'a mut Vec<u8> {
         self.clear();
 
         let rem = buf.remaining();
-        let cap = self.capacity();
 
         // Ensure that the vec is big enough
         if rem > self.capacity() {
-            self.reserve(rem - cap);
+            // current length is 0, so reserve completely
+            self.reserve(rem);
         }
+        debug_assert!(rem <= self.capacity());
 
         unsafe {
             {
diff --git a/test/test_buf.rs b/test/test_buf.rs
index bb5c0f5..f28d70f 100644
--- a/test/test_buf.rs
+++ b/test/test_buf.rs
@@ -1,6 +1,7 @@
 use bytes::{Buf};
 use byteorder;
 use std::io::{Cursor};
+use std::vec::{Vec};
 
 #[test]
 pub fn test_fresh_cursor_vec() {
@@ -44,3 +45,15 @@ fn test_read_u16_buffer_underflow() {
     let mut buf = Cursor::new(b"\x21");
     buf.read_u16::<byteorder::BigEndian>();
 }
+
+#[test]
+fn test_vec_sink_capacity() {
+    use bytes::Sink;
+
+    let mut sink: Vec<u8> = Vec::new();
+    sink.reserve(16);
+    assert!(sink.capacity() >= 16, "Capacity {} must be at least 16", sink.capacity());
+    let mut source = Cursor::new(b"0123456789abcdef0123456789abcdef");
+    sink.copy_from(&mut source);
+    assert!(sink.len() <= sink.capacity(), "Length {} must be less than or equal to capacity {}", sink.len(), sink.capacity());
+}
-- 
GitLab