Skip to content

lexical is a popular crate with a lot of UB #1757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Shnatsel opened this issue Aug 24, 2023 · 5 comments · Fixed by #1763
Closed

lexical is a popular crate with a lot of UB #1757

Shnatsel opened this issue Aug 24, 2023 · 5 comments · Fixed by #1763

Comments

@Shnatsel
Copy link
Member

https://github.com/Alexhuszagh/rust-lexical/issues lists a large amount of soundness issues, and the crate has not been updated in over a year. It has 15,000 daily downloads. We should file an advisory for it.
@Nugine
Copy link
Contributor

Nugine commented Aug 24, 2023

Is there any alternative?

@Shnatsel
Copy link
Member Author

Shnatsel commented Aug 24, 2023
edited
Loading

For floats: https://crates.io/crates/fast-float external crates no longer needed, a good algorithm was merged into libcore

For integers:
https://crates.io/crates/atoi
https://crates.io/crates/btoi
They are not as fast, but at least they let you skip the UTF-8 check.

Note that I have not reviewed these crates for soundness.

There's also atoi_simd but I've tried fuzzing it and the fuzzer has discovered straight-up buffer overreads in under a minute, so it's even more broken than lexical. I'll file issues upstream about it shortly. Saethlin beat me to it: RoDmitry/atoi_simd#1

@Shnatsel
Copy link
Member Author

And there's also https://crates.io/crates/minimal-lexical but that also needs to be carefully checked for soundness

@saethlin
Copy link
Contributor

fast-float is also not in the best shape, it has a soundness issue. A fix was merged 2 years ago and never released.
aldanor/fast-float-rust#28

But I'm pretty sure I've seen the author around, so they can probably be encouraged to cut a new release.

@dtolnay
Copy link
Contributor

dtolnay commented Aug 25, 2023

Not necessarily broadly applicable as an alternative, but serde_json contains a vendored fork of minimal-lexical from which I stripped the unsafe code. Someone should feel free to extract this to a new crate if it's an easier starting point than current minimal-lexical. https://github.com/serde-rs/json/tree/v1.0.105/src/lexical

@Shnatsel Shnatsel mentioned this issue Sep 3, 2023
Merged
markschl pushed a commit to markschl/seqtool that referenced this issue Jun 1, 2024
back to atoi for integer parsing (safe rust)
ff4e95c 
For float parsing, we still stay with rust-lexical despite
of problems (rustsec/advisory-db#1757).
Still not sure about which alternative to use for float
parsing from byte slices and for pretty-printing floats
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add an advisory for lexical rustsec/advisory-db
4 participants
@Shnatsel @dtolnay @saethlin @Nugine