Affected versions of this crate transmuted a &str
to a &'static str
before
pushing it into a StackVec
, this value was then popped later in the same
function.
This was assumed to be safe because the reference would be valid while the
method's stack was active. In between the push and the pop, however, a function
f
was called that could invoke a user provided function.
If the user provided panicked, then the assumption used by the function was no
longer true and the transmute to &'static
would create an illegal static
reference to the string. This could result in a freed string being used during
(such as in a Drop
implementation) or after (e.g through catch_unwind
) the
panic unwinding.
This flaw was corrected in commit e325e2f
by using a guard object to ensure that the &'static str
was dropped inside
the function.
{ "license": "CC0-1.0" }