Affected versions of oneringbuf exposed the obsolete IntoRef::into ref method through the public IntoRef trait. For heap-backed ring buffers, this method returned a DroppableRef handle.

DroppableRef stored an owning raw pointer created from Box::into raw. Its Clone implementation copied this raw pointer without incrementing the internal alive iters counter. Internally, this clone pattern appears to rely on a fixed number of handles being created to match the initial alive iters value. However, exposing DroppableRef through the public IntoRef::TargetRef associated type allows safe external code to create additional clones beyond that fixed count, breaking the lifetime protocol. Drop later dereferenced the pointer and could free the backing allocation with Box::from raw.

Safe code could call IntoRef::into ref to obtain a DroppableRef and then clone it. Each clone pointed to the same allocation, but the internal alive iters counter was not increased. As a result, one clone could free the allocation while another clone still existed. Dropping the remaining clone then accessed freed memory, causing a heap-use-after-free.

The issue was fixed in version 0.8.0 by removing the obsolete into ref method.

use oneringbuf::{IntoRef, LocalHeapRB};

fn main() {
  let rb = LocalHeapRB::<usize>::from(vec![1, 2, 3]);

  let r = <LocalHeapRB<usize> as IntoRef>::into ref(rb);
  let r2 = r.clone();
  let r3 = r.clone();

  drop(r);
  drop(r2);
  drop(r3); // AddressSanitizer: heap-use-after-free
}