fix: Use Vec::resize() instead of set_len()

Otherwise it's possible for uninitialized memory to be used as if it was initialized,
which can lead to strange behaviour.

As the buffer is re-used, it's not actually zeroing that much memory either.

Author: Byron

gix-filter/src/worktree/encode_to_git.rs

@@ -26,7 +26,6 @@ pub(crate) mod function {
     use encoding_rs::DecoderResult;
 
     use super::{Error, RoundTripCheck};
-    use crate::clear_and_set_capacity;
 
     /// Decode `src` according to `src_encoding` to `UTF-8` for storage in git and place it in `buf`.
     /// Note that the encoding is always applied, there is no conditional even if `src_encoding` already is `UTF-8`.
@@ -40,13 +39,8 @@ pub(crate) mod function {
         let buf_len = decoder
             .max_utf8_buffer_length_without_replacement(src.len())
             .ok_or(Error::Overflow { input_len: src.len() })?;
-        clear_and_set_capacity(buf, buf_len);
-        // SAFETY: `clear_and_set_capacity` assure that we have the given `buf_len` allocated, so setting its length is only making available
-        //          what is allocated. Later we will truncate to the amount of actually written bytes.
-        #[allow(unsafe_code)]
-        unsafe {
-            buf.set_len(buf_len);
-        }
+        buf.clear();
+        buf.resize(buf_len, 0);
         let (res, read, written) = decoder.decode_to_utf8_without_replacement(src, buf, true);
         match res {
             DecoderResult::InputEmpty => {
@@ -55,11 +49,7 @@ pub(crate) mod function {
                     "encoding_rs estimates the maximum amount of bytes written correctly"
                 );
                 assert_eq!(read, src.len(), "input buffer should be fully consumed");
-                // SAFETY: we trust that `encoding_rs` reports this number correctly, and truncate everything else.
-                #[allow(unsafe_code)]
-                unsafe {
-                    buf.set_len(written);
-                }
+                buf.truncate(written);
             }
             DecoderResult::OutputFull => {
                 unreachable!("we assure that the output buffer is big enough as per the encoder's estimate")

gix-filter/src/worktree/encode_to_worktree.rs

@@ -17,7 +17,6 @@ pub(crate) mod function {
     use encoding_rs::EncoderResult;
 
     use super::Error;
-    use crate::clear_and_set_capacity;
 
     /// Encode `src_utf8`, which is assumed to be UTF-8 encoded, according to `worktree_encoding` for placement in the working directory,
     /// and write it to `buf`, possibly resizing it.
@@ -33,13 +32,8 @@ pub(crate) mod function {
             .ok_or(Error::Overflow {
                 input_len: src_utf8.len(),
             })?;
-        clear_and_set_capacity(buf, buf_len);
-        // SAFETY: `clear_and_set_capacity` assure that we have the given `buf_len` allocated, so setting its length is only making available
-        //          what is allocated. Later we will truncate to the amount of actually written bytes.
-        #[allow(unsafe_code)]
-        unsafe {
-            buf.set_len(buf_len);
-        }
+        buf.clear();
+        buf.resize(buf_len, 0);
         let src = std::str::from_utf8(src_utf8)?;
         let (res, read, written) = encoder.encode_from_utf8_without_replacement(src, buf, true);
         match res {
@@ -49,11 +43,7 @@ pub(crate) mod function {
                     "encoding_rs estimates the maximum amount of bytes written correctly"
                 );
                 assert_eq!(read, src_utf8.len(), "input buffer should be fully consumed");
-                // SAFETY: we trust that `encoding_rs` reports this number correctly, and truncate everything else.
-                #[allow(unsafe_code)]
-                unsafe {
-                    buf.set_len(written);
-                }
+                buf.truncate(written);
             }
             EncoderResult::OutputFull => {
                 unreachable!("we assure that the output buffer is big enough as per the encoder's estimate")

gix-pack/src/cache/delta/traverse/resolve.rs

@@ -122,7 +122,7 @@ where
             let (result_size, consumed) = data::delta::decode_header_size(&delta_bytes[consumed..]);
             header_ofs += consumed;
 
-            set_len(fully_resolved_delta_bytes, result_size as usize);
+            fully_resolved_delta_bytes.resize(result_size as usize, 0);
             data::delta::apply(&base_bytes, fully_resolved_delta_bytes, &delta_bytes[header_ofs..]);
 
             // FIXME: this actually invalidates the "pack_offset()" computation, which is not obvious to consumers
@@ -394,28 +394,13 @@ where
     })
 }
 
-fn set_len(v: &mut Vec<u8>, new_len: usize) {
-    if new_len > v.len() {
-        v.reserve_exact(new_len.saturating_sub(v.capacity()) + (v.capacity() - v.len()));
-        // SAFETY:
-        // 1. we have reserved enough capacity to fit `new_len`
-        // 2. the caller is trusted to write into `v` to completely fill `new_len`.
-        #[allow(unsafe_code, clippy::uninit_vec)]
-        unsafe {
-            v.set_len(new_len);
-        }
-    } else {
-        v.truncate(new_len)
-    }
-}
-
 fn decompress_all_at_once_with(
     inflate: &mut zlib::Inflate,
     b: &[u8],
     decompressed_len: usize,
     out: &mut Vec<u8>,
 ) -> Result<(), Error> {
-    set_len(out, decompressed_len);
+    out.resize(decompressed_len, 0);
     inflate.reset();
     inflate.once(b, out).map_err(|err| Error::ZlibInflate {
         source: err,

gix-worktree-stream/src/protocol.rs

@@ -126,13 +126,5 @@ fn mode_to_byte(m: gix_object::tree::EntryMode) -> u8 {
 
 fn clear_and_set_len(buf: &mut Vec<u8>, len: usize) {
     buf.clear();
-    if buf.capacity() < len {
-        buf.reserve(len);
-        assert!(buf.capacity() >= len, "{} >= {}", buf.capacity(), len);
-    }
-    // SAFETY: we just assured that `buf` has the right capacity to hold `cap`
-    #[allow(unsafe_code)]
-    unsafe {
-        buf.set_len(len);
-    }
+    buf.resize(len, 0);
 }