RUSTSEC-2023-0080

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2023-0080

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0080.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2023-0080

Aliases

GHSA-5gmm-6m36-r7jh

Published

2023-12-18T12:00:00Z

Modified

2024-04-11T16:41:43.507511Z

Summary

Buffer overflow due to integer overflow in `transpose`

Details

Given the function transpose::transpose:

fn transpose&lt;T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / transpose

Package

Name: transpose; View open source insights on deps.dev
Purl: pkg:cargo/transpose

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.2.3

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "transpose::transpose"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "memory-corruption"
    ]
}