RUSTSEC-2021-0117

DecimalArray does not perform bound checks on accessing values and offsets

Reported

September 14, 2021

Issued

September 29, 2021 (last modified: June 13, 2023)

Package

arrow (crates.io)

Type

Vulnerability

Categories

memory-exposure

Keywords

#buffer-overflow

Aliases

GHSA-h588-76vg-prgj

References

https://github.com/apache/arrow-rs/issues/775

Patched

>=6.4.0

Description

DecimalArray performs insufficient bounds checks, which allows out-of-bounds reads in safe code if the length of the backing buffer is not a multiple of 16.

Advisory available under CC0-1.0 license.