Fix enum_map! safety with incorrect Enum implementations

KamilaBorowska · KamilaBorowska · commit b824e232f2fb · 2022-02-17T22:19:40.000+01:00
diff --git a/enum-map/src/internal.rs b/enum-map/src/internal.rs
@@ -29,15 +29,20 @@ pub trait EnumArray<V>: Enum {
 /// Array for enum-map storage.
 ///
 /// This trait is inteded for primitive array types (with fixed length).
-pub trait Array<V> {
+pub unsafe trait Array<V> {
+    // This is necessary duplication because the length in Enum trait can be
+    // provided by user and may not be trustworthy for unsafe code.
+    const LENGTH: usize;
+
     /// Coerces a reference to the array into a reference to a slice.
     fn slice(&self) -> &[V];
 
     /// Coerces a mutable reference to the array into a mutable reference to a slice.
     fn slice_mut(&mut self) -> &mut [V];
 }
 
-impl<V, const N: usize> Array<V> for [V; N] {
+unsafe impl<V, const N: usize> Array<V> for [V; N] {
+    const LENGTH: usize = N;
     fn slice(&self) -> &[V] {
         self
     }
diff --git a/enum-map/src/lib.rs b/enum-map/src/lib.rs
@@ -80,7 +80,9 @@ where
     #[doc(hidden)]
     #[must_use]
     pub fn storage_length(_: &Self) -> usize {
-        K::LENGTH
+        // SAFETY: We need to use LENGTH from K::Array, as K::LENGTH is
+        // untrustworthy.
+        K::Array::LENGTH
     }
 
     #[doc(hidden)]
diff --git a/enum-map/tests/test.rs b/enum-map/tests/test.rs
@@ -523,3 +523,49 @@ fn map_panic() {
         v + " modified"
     });
 }
+
+macro_rules! make_enum_map_macro_safety_test {
+    ($a:tt $b:tt) => {
+        // This is misuse of an API, however we need to test that to ensure safety
+        // as we use unsafe code.
+        enum E {
+            A,
+            B,
+            C,
+        }
+
+        impl Enum for E {
+            const LENGTH: usize = $a;
+
+            fn from_usize(value: usize) -> E {
+                match value {
+                    0 => E::A,
+                    1 => E::B,
+                    2 => E::C,
+                    _ => unimplemented!(),
+                }
+            }
+
+            fn into_usize(self) -> usize {
+                self as usize
+            }
+        }
+
+        impl<V> EnumArray<V> for E {
+            type Array = [V; $b];
+        }
+
+        let map: EnumMap<E, String> = enum_map! { _ => "Hello, world!".into() };
+        map.into_iter();
+    };
+}
+
+#[test]
+fn enum_map_macro_safety_under() {
+    make_enum_map_macro_safety_test!(2 3);
+}
+
+#[test]
+fn enum_map_macro_safety_over() {
+    make_enum_map_macro_safety_test!(3 2);
+}
