RUSTSEC-2023-0080

Buffer overflow due to integer overflow in transpose

Reported

December 18, 2023

Issued

February 17, 2024 (last modified: April 11, 2024)

Package

transpose (crates.io)

Type

Vulnerability

Categories

memory-corruption

Aliases

GHSA-5gmm-6m36-r7jh

References

https://github.com/ejmahler/transpose/issues/11

Patched

>=0.2.3

Affected Functions

Version

transpose::transpose

>=0.1.0

Description

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

Advisory available under CC0-1.0 license.