Workaround for mem safety in third party dlls

Author: ChrisDenton

library/std/src/sys/fs/windows/remove_dir_all.rs

@@ -74,7 +74,7 @@ unsafe fn nt_open_file(
 /// `options` will be OR'd with `FILE_OPEN_REPARSE_POINT`.
 fn open_link_no_reparse(
     parent: &File,
-    path: &[u16],
+    path: &UnicodeStringNZ,
     access: u32,
     options: u32,
 ) -> Result<Option<File>, WinError> {
@@ -90,7 +90,7 @@ fn open_link_no_reparse(
     static ATTRIBUTES: Atomic<u32> = AtomicU32::new(c::OBJ_DONT_REPARSE);
 
     let result = unsafe {
-        let mut path_str = c::UNICODE_STRING::from_ref(path);
+        let mut path_str = path.as_unicode_string();
         let mut object = c::OBJECT_ATTRIBUTES {
             ObjectName: &mut path_str,
             RootDirectory: parent.as_raw_handle(),
@@ -129,7 +129,7 @@ fn open_link_no_reparse(
     }
 }
 
-fn open_dir(parent: &File, name: &[u16]) -> Result<Option<File>, WinError> {
+fn open_dir(parent: &File, name: &UnicodeStringNZ) -> Result<Option<File>, WinError> {
     // Open the directory for synchronous directory listing.
     open_link_no_reparse(
         parent,
@@ -140,7 +140,7 @@ fn open_dir(parent: &File, name: &[u16]) -> Result<Option<File>, WinError> {
     )
 }
 
-fn delete(parent: &File, name: &[u16]) -> Result<(), WinError> {
+fn delete(parent: &File, name: &UnicodeStringNZ) -> Result<(), WinError> {
     // Note that the `delete` function consumes the opened file to ensure it's
     // dropped immediately. See module comments for why this is important.
     match open_link_no_reparse(parent, name, c::DELETE, 0) {
@@ -171,14 +171,49 @@ fn retry<T: PartialEq>(
     }
 }
 
+/// A UNICODE_STRING that's guarenteed to have null after the end of the string.
+///
+/// Mitigation for #143078.
+/// It does not prevent interior nulls but ensures any software intercepting Windows API calls
+/// and assuming null-termination will at least not have a memory safety issue.
+struct UnicodeStringNZ {
+    s: Vec<u16>,
+}
+impl UnicodeStringNZ {
+    pub fn new() -> Self {
+        // This should be large enough to prevent reallocation because filenames
+        // are by convention limited to 255 u16s.
+        let mut s = Vec::with_capacity(256);
+        s.push(0);
+        Self { s }
+    }
+
+    pub fn as_unicode_string(&self) -> c::UNICODE_STRING {
+        let mut u = c::UNICODE_STRING::from_ref(&self.s);
+        // truncate the length to before the null
+        // note: the length is in bytes and is not a count of u16s.
+        u.Length -= 2;
+        u
+    }
+
+    pub fn set(&mut self, s: &[u16]) -> &Self {
+        self.s.truncate(0);
+        self.s.extend_from_slice(s);
+        self.s.push(0);
+        self
+    }
+}
+
 pub fn remove_dir_all_iterative(dir: File) -> Result<(), WinError> {
     let mut buffer = DirBuff::new();
     let mut dirlist = vec![dir];
+    let mut string_buffer = UnicodeStringNZ::new();
 
     let mut restart = true;
     'outer: while let Some(dir) = dirlist.pop() {
         let more_data = dir.fill_dir_buff(&mut buffer, restart)?;
         for (name, is_directory) in buffer.iter() {
+            let name = string_buffer.set(&name);
             if is_directory {
                 let Some(subdir) = open_dir(&dir, &name)? else { continue };
                 dirlist.push(dir);
@@ -197,7 +232,8 @@ pub fn remove_dir_all_iterative(dir: File) -> Result<(), WinError> {
         } else {
             // Attempt to delete, retrying on not empty errors because we may
             // need to wait some time for files to be removed from the filesystem.
-            retry(|| delete(&dir, &[]), WinError::DIR_NOT_EMPTY)?;
+            let name = string_buffer.set(&[]);
+            retry(|| delete(&dir, name), WinError::DIR_NOT_EMPTY)?;
             restart = true;
         }
     }