RUSTSEC-2021-0117

DecimalArray does not perform bound checks on accessing values and offsets

Reported

September 14, 2021

Issued

September 29, 2021 (last modified: February 9, 2023)

Package

arrow (crates.io)

Type

Vulnerability

Categories

memory-exposure

Keywords

#buffer-overflow

Details

https://github.com/apache/arrow-rs/issues/775

Patched

>=6.4.0

Description

DecimalArray performs insufficient bounds checks, which allows out-of-bounds reads in safe code if the length of the backing buffer is not a multiple of 16.