GHSA-5gmm-6m36-r7jh

Source

https://github.com/advisories/GHSA-5gmm-6m36-r7jh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5gmm-6m36-r7jh/GHSA-5gmm-6m36-r7jh.json

Aliases

• RUSTSEC-2023-0080

Published

2024-04-05T15:41:34Z

Modified

2024-04-11T16:41:43.507511Z

Details

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

References

• https://github.com/ejmahler/transpose/issues/11
• https://github.com/ejmahler/transpose/commit/c4bcd39fabca9a31a401d0cc42d4090869b5a37a
• https://github.com/ejmahler/transpose
• https://rustsec.org/advisories/RUSTSEC-2023-0080.html