Deserializer::read_vec()
created an uninitialized buffer and passes it to a user-provided Read
implementation (Deserializer.reader.read_exact()
).
Passing an uninitialized buffer to an arbitrary Read
implementation is currently defined as undefined behavior in Rust. Official documentation for the Read
trait explains the following: "It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior."
The flaw was corrected in commit ce310f7 by zero-initializing the newly allocated buffer before handing it to Deserializer.reader.read_exact()
.
{ "license": "CC0-1.0" }