RUSTSEC-2022-0067

Invalid use of mem::uninitialized causes use-of-uninitialized-value

Reported

October 22, 2022

Issued

November 7, 2022 (last modified: June 13, 2023)

Package

lzf (crates.io)

Type

INFO Unsound

Keywords

#uninitialized-memory

Aliases

GHSA-5m39-wx2q-mxg3

References

https://github.com/badboy/lzf-rs/issues/9

Patched

>=0.3.2

Affected Functions

Version

lzf::compress

<0.3.2

lzf::decompress

<0.3.2

Description

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently the crate was deprecated and its use is discouraged.

Advisory available under CC0-1.0 license.