read on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max)

[JOE1994]

Hello 🦀 ,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

fn read_framed_max<T: Endianness>(&mut self, maximum: usize) -> Result<Vec<u8>, std::io::Error> {
    let length = match self.read_u32::<T>()? as usize {
        x if x <= maximum => x,
        _                 => return Err(std::io::ErrorKind::InvalidData.into()),
    };

    unsafe {
        let mut data = Vec::with_capacity(length);
        let slice    = std::slice::from_raw_parts_mut(data.as_mut_ptr(), length);

        self.read_exact(slice)?;
        data.set_len(length);

        Ok(data)
    }
}

bite::read::BiteReadExpandedExt::read_framed_max() method creates an uninitialized buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.

Thank you for checking out this issue 👍