Soundness issue in ImageSurfaceDataExt
ImageSurfaceDataExt
is a public trait of rsvg_internals
and internally uses unsafe code. It is also implemented for &mut [u8]
in a way that seems pretty unsound to me.
/// Extension methods for `cairo::ImageSurfaceData`.
pub trait ImageSurfaceDataExt: DerefMut<Target = [u8]> {
/// Sets the pixel at the given coordinates. Assumes the `ARgb32` format.
#[inline]
fn set_pixel(&mut self, stride: usize, pixel: Pixel, x: u32, y: u32) {
let value = pixel.to_u32();
unsafe {
*(&mut self[y as usize * stride + x as usize * 4] as *mut u8 as *mut u32) = value;
}
}
}
impl<'a> ImageSurfaceDataExt for &'a mut [u8] {}
As far as I can tell, this is unsound when called as [0, 1, 2, 3].set_pixel(1, some_pixel, 0, 3)
.
In general, I feel like there is quite a bit too much unsafe code in the crate, but I assume this will get fixed given enough time and that it is just a residue of the rewrite from C to Rust. Great work aside that.