Soundness Bug in this crate

[lewismosciski]

Hi there!

We scanned the most popular libraries on crates.io and found some memory safety bugs in this library.

eat_byte can drive an unsafe slice operation on &str without enforcing UTF-8 boundary requirements.

PoC

use swc_common::input::{Input, StringInput};
use swc_common::BytePos;

fn main() {
    let s = "é";

    let start = BytePos(0);
    let end = BytePos(s.len() as u32);

    let mut input = StringInput::new(s, start, end);

    let first_byte = s.as_bytes()[0];
    assert!(input.eat_byte(first_byte));
    let _ = input.cur_as_char();
}

Miri Output

error: Undefined Behavior: entering unreachable code
  --> /home/ccuu/.rustup/toolchains/nightly-2025-10-09-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/str/validations.rs:48:23
   |
48 |     let y = unsafe { *bytes.next().unwrap_unchecked() };
   |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
   |
   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
   = note: BACKTRACE:
   = note: inside `core::str::validations::next_code_point::<'_, std::slice::Iter<'_, u8>>` at /home/ccuu/.rustup/toolchains/nightly-2025-10-09-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/str/validations.rs:48:23: 48:54
   = note: inside `<std::str::Chars<'_> as std::iter::Iterator>::next` at /home/ccuu/.rustup/toolchains/nightly-2025-10-09-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/str/iter.rs:42:18: 42:49
   = note: inside `<swc_common::input::StringInput<'_> as swc_common::input::Input<'_>>::cur_as_char` at /home/ccuu/Desktop/llm-detector/experiments/cache/crates_src/swc_common/19.0.0/swc_common-19.0.0/src/input.rs:126:9: 126:38
note: inside `main`
  --> src/main.rs:23:13
   |
23 |     let _ = input.cur_as_char(); // UB: `chars()` assumes valid UTF-8.
   |             ^^^^^^^^^^^^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

[kdy1]

@claude Fix it by making eat_byte unsafe

[claude]

Claude finished @kdy1's task in 16m 8s —— View job • claude/issue-11719-20260320-1545 • Create PR ➔

---

Making eat_byte unsafe to fix soundness bug

• Read current eat_byte implementation and Input trait
• Make eat_byte unsafe in the trait and StringInput impl
• Update all callers to use unsafe blocks (4 crates: swc_common, swc_ecma_lexer, swc_ecma_parser, swc_es_parser)
• Run cargo fmt and cargo clippy — passes for all modified crates
• Run tests for affected crates — all pass
• Commit and push

Made Input::eat_byte an unsafe fn with a safety doc requiring c <= 0x7F (ASCII). All existing call sites already pass ASCII byte literals, so they just needed unsafe blocks with safety comments.

|