gzip: make header functions unsafe and document preconditions

trifectatechfoundation · Oct 24, 2024 · e0b0001 · e0b0001
1 parent fb287a7
commit e0b0001
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 6 deletions.
diff --git a/libz-rs-sys/src/lib.rs b/libz-rs-sys/src/lib.rs
@@ -920,7 +920,10 @@ pub unsafe extern "C-unwind" fn deflate(strm: *mut z_stream, flush: i32) -> c_in
 ///     - `strm` satisfies the requirements of `&mut *strm` and was initialized with [`deflateInit_`] or similar
 /// * Either
 ///     - `head` is `NULL`
-///     - `head` satisfies the requirements of `&mut *head`
+///     - `head` satisfies the requirements of `&mut *head` and satisfies the following:
+///         - `head.extra` is `NULL` or is readable for at least `head.extra_len` bytes
+///         - `head.name` is `NULL` or satisfies the requirements of [`core::ffi::CStr::from_ptr`]
+///         - `head.comment` is `NULL` or satisfies the requirements of [`core::ffi::CStr::from_ptr`]
 #[export_name = prefix!(deflateSetHeader)]
 pub unsafe extern "C-unwind" fn deflateSetHeader(strm: *mut z_stream, head: gz_headerp) -> c_int {
     let Some(stream) = (unsafe { DeflateStream::from_stream_mut(strm) }) else {

diff --git a/zlib-rs/src/deflate.rs b/zlib-rs/src/deflate.rs
@@ -2979,7 +2979,15 @@ impl Heap {
     }
 }
 
-pub fn set_header<'a>(
+/// # Safety
+///
+/// The caller must guarantee:
+///
+/// * If `head` is `Some`
+///     - `head.extra` is `NULL` or is readable for at least `head.extra_len` bytes
+///     - `head.name` is `NULL` or satisfies the requirements of [`core::ffi::CStr::from_ptr`]
+///     - `head.comment` is `NULL` or satisfies the requirements of [`core::ffi::CStr::from_ptr`]
+pub unsafe fn set_header<'a>(
     stream: &mut DeflateStream<'a>,
     head: Option<&'a mut gz_header>,
 ) -> ReturnCode {
@@ -3686,7 +3694,7 @@ mod test {
             unreachable!()
         };
 
-        set_header(stream, Some(&mut header));
+        unsafe { set_header(stream, Some(&mut header)) };
 
         let input = b"Hello World\n";
         stream.next_in = input.as_ptr() as *mut _;
@@ -3754,7 +3762,7 @@ mod test {
             unreachable!()
         };
 
-        set_header(stream, Some(&mut header));
+        unsafe { set_header(stream, Some(&mut header)) };
 
         let input = b"Hello World\n";
         stream.next_in = input.as_ptr() as *mut _;
@@ -3815,7 +3823,7 @@ mod test {
             };
 
             assert_eq!(
-                crate::inflate::get_header(stream, Some(&mut header)),
+                unsafe { crate::inflate::get_header(stream, Some(&mut header)) },
                 ReturnCode::Ok
             );
 

diff --git a/zlib-rs/src/inflate.rs b/zlib-rs/src/inflate.rs
@@ -2296,7 +2296,15 @@ pub fn end<'a>(stream: &'a mut InflateStream<'a>) -> &'a mut z_stream {
     stream
 }
 
-pub fn get_header<'a>(
+/// # Safety
+///
+/// The caller must guarantee:
+///
+/// * If `head` is `Some`:
+//      - If `head.extra` is not NULL, it must be writable for at least `head.extra_max` bytes
+///     - if `head.name` is not NULL, it must be writable for at least `head.name_max` bytes
+///     - if `head.comment` is not NULL, it must be writable for at least `head.comm_max` bytes
+pub unsafe fn get_header<'a>(
     stream: &mut InflateStream<'a>,
     head: Option<&'a mut gz_header>,
 ) -> ReturnCode {