From 15567c98f1ed95da454674269d6d29853c4208df Mon Sep 17 00:00:00 2001
From: Linus Probert <linus.probert@gmail.com>
Date: Tue, 30 Mar 2021 20:20:18 +0200
Subject: [PATCH] Update DrainFilter.idx after calling DrainFilter.pred

Removes security issue where a panic! from DrainFilter.pred
would leave DrainFilter.idx incremented and risking a double drop.

Fixes: #90
---
 src/lib.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index 7d4c598..ebc1eb9 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -3017,12 +3017,15 @@ where
         unsafe {
             while self.idx != self.old_len {
                 let i = self.idx;
-                self.idx += 1;
                 let v = slice::from_raw_parts_mut(
                     self.deq.as_mut_ptr(),
                     self.old_len,
                 );
-                if (self.pred)(&mut v[i]) {
+                let result = (self.pred)(&mut v[i]);
+                // Update self.idx after calling self.pred
+                // to prevent inconsistent state
+                self.idx += 1;
+                if result {
                     self.del += 1;
                     return Some(ptr::read(&v[i]));
                 } else if self.del > 0 {