Unsafe string unpacking causes segmentation fault

[ikirill]

MsgPack v1.2.0

julia> using MsgPack

julia> unpack(UInt8[0xdb, 0x05, 'a', 'b', 'c', 'd', 'e'])

[754821] signal (11.2): Segmentation fault
in expression starting at REPL[2]:1
__memcpy_sse2_unaligned_erms at /lib64/libc.so.6 (unknown line)
ijl_pchar_to_string at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/array.c:523
unsafe_string at ./strings/string.jl:81 [inlined]
from_msgpack at /home/kirill/.julia/packages/MsgPack/AnkMB/src/types.jl:437 [inlined]
_unpack_string at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:353
unpack_format at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:341 [inlined]
#_unpack_any#10 at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:83
_unpack_any at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:49
unknown function (ip: 0x7f8ce8165f8a)
_jl_invoke at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/gf.c:2758 [inlined]
ijl_apply_generic at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/gf.c:2940
#unpack_type#9 at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:47
unknown function (ip: 0x7f8ce8163060)
unpack_type at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:47 [inlined]
#unpack#7 at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:32 [inlined]
unpack at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:32 [inlined]
#unpack#6 at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:8 [inlined]
unpack at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:8 [inlined]
#unpack#5 at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:1 [inlined]
unpack at /home/kirill/.julia/packages/MsgPack/AnkMB/src/unpack.jl:1
unknown function (ip: 0x7f8ce8162fc2)
_jl_invoke at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/gf.c:2758 [inlined]
ijl_apply_generic at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/gf.c:2940
jl_apply at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/julia.h:1879 [inlined]
do_call at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/interpreter.c:126
eval_value at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/interpreter.c:226
eval_stmt_value at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/interpreter.c:177 [inlined]
eval_body at /cache/build/default-amdci5-2/julialang/julia-release-1-dot-9/src/interpreter.c:624

julia> versioninfo()
Julia Version 1.9.2
Commit e4ee485e909 (2023-07-05 09:39 UTC)
Platform Info:
  OS: Linux (x86_64-linux-gnu)
  CPU: 16 × AMD Ryzen 7 3700X 8-Core Processor
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-14.0.6 (ORCJIT, znver2)
  Threads: 16 on 16 virtual cores
Environment:
  JULIA_NUM_THREADS = auto

[ararslan]

I have two different things that both seem to fix it, but in both cases the answers they produce are different in each Julia session, so I have no idea which (if either) is right.

First

diff --git a/src/unpack.jl b/src/unpack.jl
index 5875842..8e7dfb5 100644
--- a/src/unpack.jl
+++ b/src/unpack.jl
@@ -357,7 +357,7 @@ _unpack_string(io, n, ::Type{T}) where {T<:Skip} = (skip(io, n); T())
 # this package, this trick can be traced back to Jacob Quinn's magnificent
 # JSON3.jl!
 function _unpack_string(io::Base.GenericIOBuffer, n, ::Type{T}) where {T}
-    result = from_msgpack(T, PointerString(pointer(io.data, io.ptr), n))
+    result = from_msgpack(T, GC.@preserve io PointerString(pointer(io.data, io.ptr), n))
     skip(io, n)
     return result
 end

Second

diff --git a/src/types.jl b/src/types.jl
index bcd0ca2..69143a9 100644
--- a/src/types.jl
+++ b/src/types.jl
@@ -423,7 +423,7 @@ from_msgpack(::Type{T}, x) where {T<:Skip} = T()
 ##### `PointerString`
 #####

-struct PointerString
+mutable struct PointerString
     ptr::Ptr{UInt8}
     len::UInt64
 end