Skip to content

FFI_ArrowArrayStream + ArrowArrayStreamReader::try_new is technically unsound #10253

Description

@Manishearth

This is a minor technical unsoundness that is likely to never come up in real usage of this crate.

FFI_ArrowArrayStream has public fields, including raw pointer fields. They can be set to whatever you want in safe Rust code.

ArrowArrayStreamReader::try_new() takes one of these, and internally dereferences some of the pointers.

This means you can technically have UB if you fill an FFI_ArrowArrayStream with garbage and then pass it to ArrowArrayStreamReader::try_new().

In practice, nobody's going to do that; folks will be populating the FFI type over FFI (at which point it's no longer Rust's problem).

But perhaps ArrowArrayStreamReader::try_new() should be unsafe, or FFI_ArrowArrayStream should have private fields.

I don't think this is the only such type in the crate, but it's the first one that my agentic audit noticed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions