- Reported
-
- Issued
-
- Package
-
transpose
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- Patched
-
- Affected Functions
- Version
transpose::transpose
-
Description
Given the function transpose::transpose
:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len()
can fail due to input_width * input_height
overflowing in such a way that it equals output.len()
.
As a result of failing the safety check, memory past the end of output
is written to. This only occurs in release mode since *
panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width
and input_height
arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
Advisory available under CC0-1.0
license.