RUSTSEC-2023-0021

NULL pointer dereference in stb_image

Reported

March 19, 2023

Issued

March 19, 2023 (last modified: July 15, 2023)

Package

stb_image (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#NULL-pointer-dereference

Aliases

GHSA-ppjr-267j-5p9x

References

https://github.com/servo/rust-stb-image/pull/102

Patched

>=0.2.5

Description

A bug in error handling in the stb_image C library could cause a NULL pointer dereference when attempting to load an invalid or unsupported image file. This is fixed in version 0.2.5 and later of the stb_image Rust crate, by patching the C code to correctly handle NULL pointers.

Thank you to GitHub user 0xdd96 for finding and fixing this vulnerability.

Advisory available under CC0-1.0 license.