Rust write_vtable leave uninitialized values #8894
Description
File: flatbuffers Rust crate src/builder.rs
Function: write_vtable() line ~605
// fill the WIP vtable with zeros: <-- COMMENT LIES!
let vtable_byte_len = get_vtable_byte_len(&self.field_locs);
self.make_space(vtable_byte_len); // Only reserves, doesn't zero!
If you pre-fill the buffer the buffer with 0xAA, you will see that default values end up getting left as garbage and the Rust flatbuffers itself can read it as it will have offsets out of bounds.
diff --git a/rust/flatbuffers/src/builder.rs b/rust/flatbuffers/src/builder.rs
index 1234567..abcdefg 100644
--- a/rust/flatbuffers/src/builder.rs
+++ b/rust/flatbuffers/src/builder.rs
@@ -602,9 +602,13 @@ impl<'a, A: Allocator + 'a> FlatBufferBuilder<'a, A> {
let object_revloc_to_vtable: WIPOffset<VTableWIPOffset> =
WIPOffset::new(self.push::<UOffsetT>(0xF0F0_F0F0).value());
- // fill the WIP vtable with zeros:
+ // Reserve space for the vtable:
let vtable_byte_len = get_vtable_byte_len(&self.field_locs);
self.make_space(vtable_byte_len);
+
+ // Zero the vtable buffer (matches C++ buf_.fill_big() behavior):
+ let vt_start_pos = self.head;
+ let vt_end_pos = self.head + vtable_byte_len;
+ self.allocator[vt_start_pos.range_to(vt_end_pos)].fill(0);
// compute the length of the table (not vtable!) in bytes:
let table_object_size = object_revloc_to_vtable.value() - table_tail_revloc.value();
--
The attached archive includes the test case to reproduce.