Variant bounds check.

finnbear · finnbear · commit 2047753287db · 2025-08-25T09:21:45.000-07:00
diff --git a/src/derive/variant.rs b/src/derive/variant.rs
@@ -1,4 +1,5 @@
 use crate::coder::{Buffer, Decoder, Encoder, Result, View};
+use crate::error::err;
 use crate::fast::{CowSlice, NextUnchecked, PushUnchecked, VecImpl};
 use crate::pack::{pack_bytes_less_than, unpack_bytes_less_than};
 use crate::pack_ints::{pack_ints, unpack_ints, Int};
@@ -54,13 +55,19 @@ impl<'a, T: Int, const N: usize> VariantDecoder<'a, T, N, false> {
     }
 }
 
-impl<'a, T: Int, const N: usize, const C_STYLE: bool> View<'a>
+impl<'a, T: Int + Into<usize>, const N: usize, const C_STYLE: bool> View<'a>
     for VariantDecoder<'a, T, N, C_STYLE>
 {
     fn populate(&mut self, input: &mut &'a [u8], length: usize) -> Result<()> {
         assert!(N >= 2);
         if TypeId::of::<T>() != TypeId::of::<u8>() {
             unpack_ints::<T>(input, length, &mut self.variants)?;
+            // TOOD: this uses extra memory bandwith to rescan.
+            for int in unsafe { self.variants.as_slice(length) } {
+                if T::from_unaligned(*int).into() >= N {
+                    return err("invalid enum variant index");
+                }
+            }
         } else {
             // SAFETY: Checked the type above and [u8; 1] has the
             // same memory layout as `u8`.
@@ -79,7 +86,7 @@ impl<'a, T: Int, const N: usize, const C_STYLE: bool> View<'a>
     }
 }
 
-impl<'a, T: Int, const N: usize, const C_STYLE: bool> Decoder<'a, T>
+impl<'a, T: Int + Into<usize>, const N: usize, const C_STYLE: bool> Decoder<'a, T>
     for VariantDecoder<'a, T, N, C_STYLE>
 {
     // Guaranteed to output numbers less than N.

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`use crate::coder::{Buffer, Decoder, Encoder, Result, View};`
	`2`	`+use crate::error::err;`
`2`	`3`	`use crate::fast::{CowSlice, NextUnchecked, PushUnchecked, VecImpl};`
`3`	`4`	`use crate::pack::{pack_bytes_less_than, unpack_bytes_less_than};`
`4`	`5`	`use crate::pack_ints::{pack_ints, unpack_ints, Int};`
`@@ -54,13 +55,19 @@ impl<'a, T: Int, const N: usize> VariantDecoder<'a, T, N, false> {`
`54`	`55`	`}`
`55`	`56`	`}`
`56`	`57`
`57`		`-impl<'a, T: Int, const N: usize, const C_STYLE: bool> View<'a>`
	`58`	`+impl<'a, T: Int + Into<usize>, const N: usize, const C_STYLE: bool> View<'a>`
`58`	`59`	`for VariantDecoder<'a, T, N, C_STYLE>`
`59`	`60`	`{`
`60`	`61`	`fn populate(&mut self, input: &mut &'a [u8], length: usize) -> Result<()> {`
`61`	`62`	`assert!(N >= 2);`
`62`	`63`	`if TypeId::of::<T>() != TypeId::of::<u8>() {`
`63`	`64`	`unpack_ints::<T>(input, length, &mut self.variants)?;`
	`65`	`+ // TOOD: this uses extra memory bandwith to rescan.`
	`66`	`+ for int in unsafe { self.variants.as_slice(length) } {`
	`67`	`+ if T::from_unaligned(*int).into() >= N {`
	`68`	`+ return err("invalid enum variant index");`
	`69`	`+ }`
	`70`	`+ }`
`64`	`71`	`} else {`
`65`	`72`	`// SAFETY: Checked the type above and [u8; 1] has the`
`66`	`73`	// same memory layout as `u8`.
`@@ -79,7 +86,7 @@ impl<'a, T: Int, const N: usize, const C_STYLE: bool> View<'a>`
`79`	`86`	`}`
`80`	`87`	`}`
`81`	`88`
`82`		`-impl<'a, T: Int, const N: usize, const C_STYLE: bool> Decoder<'a, T>`
	`89`	`+impl<'a, T: Int + Into<usize>, const N: usize, const C_STYLE: bool> Decoder<'a, T>`
`83`	`90`	`for VariantDecoder<'a, T, N, C_STYLE>`
`84`	`91`	`{`
`85`	`92`	`// Guaranteed to output numbers less than N.`