StackVec::extend used the lower and upper bounds from an Iterator's sizehint to determine how many items to push into the stack based vector. If the sizehint implementation returned a lower bound that was larger than the upper bound, StackVec would write out of bounds and overwrite memory on the stack. As mentioned by the sizehint documentation, sizehint is mainly for optimization and incorrect implementations should not lead to memory safety issues.
{ "nvd_published_at": "2021-04-01T05:15:00Z", "cwe_ids": [ "CWE-787" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-19T17:15:11Z" }