RUSTSEC-2021-0029: truetype: Tape::take_bytes exposes uninitialized memory to a user-provided Read

Description

Affected versions of this crate passed an unininitialized buffer to a user-provided Read instance in Tape::take_bytes.

This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior.

The flaw was corrected in commit 1f2dc7f37dd by removing the unsafe block and zero-initializing the buffer.

More Info

https://github.com/bodoni/truetype/issues/11

Patched Versions