[GH-ISSUE #442] RUSTSEC-2024-0429: Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter` #45

New issue

Closed

opened 2026-03-03 13:45:14 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 13:45:14 +03:00

Owner

Originally created by @github-actions[bot] on GitHub (Jun 26, 2025).
Original GitHub issue: https://github.com/gopher64/gopher64/issues/442

Unsoundness in Iterator and DoubleEndedIterator impls for glib::VariantStrIter

Details
Status	unsound
Package	`glib`
Version	`0.18.5`
URL	https://github.com/gtk-rs/gtk-rs-core/pull/1343
Date	2024-03-30

The VariantStrIter::impl_get function (called internally by implementations of the Iterator and DoubleEndedIterator traits for this type) was unsound, resulting in undefined behaviour.

An immutable reference &p to a *mut libc::c_char pointer initialized to NULL was passed as an argument to a C function that that mutates the pointer behind &p in-place (i.e. as an out-argument), which was unsound. After changes in recent versions of the Rust compiler, these unsound writes through &p now seem to be completely disregarded when building the glib crate with optimizations.

This subsequently caused all calls of VariantStrIter::impl_get to violate the safety requirements of the std::ffi::CStr::from_ptr function - which requires its argument to be a valid pointer to a C-style string - resulting in crashes due to NULL pointer dereferences.

This was fixed by passing the out-argument pointer explitly as &mut p instead of &p.

This issue has been present since this code was initially added in glib v0.15.0. The mismatch in mutability was likely missed (and not raised as an error by the compiler) because the C function wrapped by VariantStrIter::impl_get is variadic (glib_sys::g_variant_get_child), and the pointer in question is one of the variadic arguments.

See advisory page for additional details.

Originally created by @github-actions[bot] on GitHub (Jun 26, 2025). Original GitHub issue: https://github.com/gopher64/gopher64/issues/442 > Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter` | Details | | | ------------------- | ---------------------------------------------- | | Status | unsound | | Package | `glib` | | Version | `0.18.5` | | URL | [https://github.com/gtk-rs/gtk-rs-core/pull/1343](https://github.com/gtk-rs/gtk-rs-core/pull/1343) | | Date | 2024-03-30 | The `VariantStrIter::impl_get` function (called internally by implementations of the `Iterator` and `DoubleEndedIterator` traits for this type) was unsound, resulting in undefined behaviour. An immutable reference `&p` to a `*mut libc::c_char` pointer initialized to `NULL` was passed as an argument to a C function that that mutates the pointer behind `&p` in-place (i.e. as an out-argument), which was unsound. After changes in recent versions of the Rust compiler, these unsound writes through `&p` now seem to be completely disregarded when building the `glib` crate with optimizations. This subsequently caused all calls of `VariantStrIter::impl_get` to violate the safety requirements of the `std::ffi::CStr::from_ptr` function - which requires its argument to be a valid pointer to a C-style string - resulting in crashes due to `NULL` pointer dereferences. This was fixed by passing the out-argument pointer explitly as `&mut p` instead of `&p`. This issue has been present since this code was initially added in `glib` v0.15.0. The mismatch in mutability was likely missed (and not raised as an error by the compiler) because the C function wrapped by `VariantStrIter::impl_get` is variadic (`glib_sys::g_variant_get_child`), and the pointer in question is one of the variadic arguments. See [advisory page](https://rustsec.org/advisories/RUSTSEC-2024-0429.html) for additional details.