Reported

May 19, 2021

Issued

May 22, 2021 (last modified: June 13, 2023)

Package

iced-x86 (crates.io)

Type

Vulnerability

Keywords

#soundness

Aliases

• CVE-2021-38188
• GHSA-jjx5-3f36-6927

References

• https://github.com/icedland/iced/issues/168

Patched

• >1.10.3

Affected Functions

Version

iced_x86::Decoder::new

• <=1.10.3

Description

Versions of iced-x86 <= 1.10.3 invoke undefined behavior which may cause soundness issues in crates using the iced_x86::Decoder struct. The Decoder::new() function made a call to slice.get_unchecked(slice.length()) to get the end position of the input buffer. The flaw was fixed with safe logic that does not invoke undefined behavior.

More details can be found at https://github.com/icedland/iced/issues/168.

Advisory available under CC0-1.0 license.