'bgzip::Block::load' allows user-provided `Read` on uninitialized buffer

Hello 🦀, we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Code relevant to the issue

https://gitlab.com/tprodanov/bam/-/blob/master/src/bgzip/mod.rs#L326-331

Issue#1

Block::load() method increases the length of self.compressed (self.compressed.set_len(block_size - HEADER_SIZE - MIN_EXTRA_SIZE)) without reserving extra memory for self.compressed. Then the unclaimed memory is written by stream.read_exact(&mut self.compressed)?.

This can be a serious security issue if the unclaimed heap memory is already actively occupied by another entity.

Issue#2

Block::load() method creates an uninitialized buffer(self.compressed.set_len(block_size - HEADER_SIZE - MIN_EXTRA_SIZE)) and passes it to user-provided Read implementation (stream.read_exact(&mut self.compressed)?). This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.

Thank you for checking out this issue 👍

Edited Jan 25, 2021 by Youngsuk Kim