(140288075) Use-after-free in Swift implementation of NSData (#1108)

phausler · web-flow · commit 2162fc936bc3 · 2025-01-02T09:56:06.000-08:00
diff --git a/Sources/FoundationEssentials/Data/Data.swift b/Sources/FoundationEssentials/Data/Data.swift
@@ -209,9 +209,41 @@ internal final class __DataStorage : @unchecked Sendable {
         return _bytes?.advanced(by: -_offset)
     }
 
+    @inlinable
+    static var copyWillRetainMask: Int {
+#if _pointerBitWidth(_64)
+        return Int(bitPattern: 0x8000000000000000)
+#elseif _pointerBitWidth(_32)
+        return Int(bitPattern: 0x80000000)
+#endif
+    }
+    
+    @inlinable
+    static var capacityMask: Int {
+#if _pointerBitWidth(_64)
+        return Int(bitPattern: 0x7FFFFFFFFFFFFFFF)
+#elseif _pointerBitWidth(_32)
+        return Int(bitPattern: 0x7FFFFFFF)
+#endif
+    }
+    
     @inlinable // This is @inlinable as trivially computable.
     var capacity: Int {
-        return _capacity
+        return _capacity & __DataStorage.capacityMask
+    }
+    
+    @inlinable
+    var _copyWillRetain: Bool {
+        get {
+            return _capacity & __DataStorage.copyWillRetainMask == 0
+        }
+        set {
+            if !newValue {
+                _capacity |= __DataStorage.copyWillRetainMask
+            } else {
+                _capacity &= __DataStorage.capacityMask
+            }
+        }
     }
 
     @inlinable // This is @inlinable as trivially computable.
@@ -355,7 +387,7 @@ internal final class __DataStorage : @unchecked Sendable {
     func setLength(_ length: Int) {
         let origLength = _length
         let newLength = length
-        if _capacity < newLength || _bytes == nil {
+        if capacity < newLength || _bytes == nil {
             ensureUniqueBufferReference(growingTo: newLength, clear: true)
         } else if origLength < newLength && _needToZero {
             _ = memset(_bytes! + origLength, 0, newLength - origLength)
@@ -370,7 +402,7 @@ internal final class __DataStorage : @unchecked Sendable {
         precondition(length >= 0, "Length of appending bytes must not be negative")
         let origLength = _length
         let newLength = origLength + length
-        if _capacity < newLength || _bytes == nil {
+        if capacity < newLength || _bytes == nil {
             ensureUniqueBufferReference(growingTo: newLength, clear: false)
         }
         _length = newLength
@@ -437,7 +469,7 @@ internal final class __DataStorage : @unchecked Sendable {
         let range = range_.lowerBound - _offset ..< range_.upperBound - _offset
         if range.upperBound - range.lowerBound == 0 { return }
         if _length < range.upperBound {
-            if _capacity <= range.upperBound {
+            if capacity <= range.upperBound {
                 ensureUniqueBufferReference(growingTo: range.upperBound, clear: false)
             }
             _length = range.upperBound
@@ -1962,7 +1994,17 @@ public struct Data : Equatable, Hashable, RandomAccessCollection, MutableCollect
             deallocator._deallocator(bytes, count)
             _representation = .empty
         } else {
-            _representation = _Representation(__DataStorage(bytes: bytes, length: count, copy: false, deallocator: whichDeallocator, offset: 0), count: count)
+            let storage = __DataStorage(bytes: bytes, length: count, copy: false, deallocator: whichDeallocator, offset: 0)
+            switch deallocator {
+            // technically .custom can potential cause this too but there is a potential chance this is expected behavior
+            // commented out for now... revisit later
+            // case .custom: fallthrough
+            case .none:
+                storage._copyWillRetain = false
+            default:
+                break
+            }
+            _representation = _Representation(storage, count: count)
         }
     }
 
diff --git a/Tests/FoundationEssentialsTests/DataTests.swift b/Tests/FoundationEssentialsTests/DataTests.swift
@@ -1887,3 +1887,29 @@ extension DataTests {
     }
 }
 #endif // FOUNDATION_FRAMEWORK
+
+#if FOUNDATION_FRAMEWORK // Bridging is not available in the FoundationPreview package
+extension DataTests {
+    func test_noCustomDealloc_bridge() {
+        let bytes = UnsafeMutableRawBufferPointer.allocate(byteCount: 1024, alignment: MemoryLayout<AnyObject>.alignment)
+        
+        let data: Data = Data(bytesNoCopy: bytes.baseAddress!, count: bytes.count, deallocator: .free)
+        let copy = data._bridgeToObjectiveC().copy() as! NSData
+        data.withUnsafeBytes { buffer in
+            XCTAssertEqual(buffer.baseAddress, copy.bytes)
+        }
+    }
+    
+    func test_noCopy_uaf_bridge() {
+        // this can only really be tested (modulo ASAN) via comparison of the pointer address of the storage.
+        let bytes = UnsafeMutableRawBufferPointer.allocate(byteCount: 1024, alignment: MemoryLayout<AnyObject>.alignment)
+        
+        let data: Data = Data(bytesNoCopy: bytes.baseAddress!, count: bytes.count, deallocator: .none)
+        let copy = data._bridgeToObjectiveC().copy() as! NSData
+        data.withUnsafeBytes { buffer in
+            XCTAssertNotEqual(buffer.baseAddress, copy.bytes)
+        }
+        bytes.deallocate()
+    }
+}
+#endif
