GHSA-5gmm-6m36-r7jh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5gmm-6m36-r7jh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5gmm-6m36-r7jh/GHSA-5gmm-6m36-r7jh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5gmm-6m36-r7jh
- Aliases
- Published
- 2024-04-05T15:41:34Z
- Modified
- 2024-04-11T16:41:43.507511Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- transpose: Buffer overflow due to integer overflow
- Details
-
Given the function
transpose::transpose:fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)The safety check
input_width * input_height == output.len()can fail due toinput_width * input_heightoverflowing in such a way that it equalsoutput.len(). As a result of failing the safety check, memory past the end ofoutputis written to. This only occurs in release mode since*panics on overflow in debug mode.Exploiting this issue requires the caller to pass
input_widthandinput_heightarguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices. - Database specific
{ "github_reviewed_at": "2024-04-05T15:41:34Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-120", "CWE-190" ], "github_reviewed": true, "nvd_published_at": null }- References
Affected packages
crates.io / transpose
Package
- Name
- transpose
- View open source insights on deps.dev
- Purl
- pkg:cargo/transpose