HistoryEditJSON (OSV)

RUSTSEC-2023-0080

Buffer overflow due to integer overflow in transpose

Reported
Issued
Package
transpose (crates.io)
Type
Vulnerability
Categories
Aliases
References
Patched
  • >=0.2.3
Affected Functions
Version
transpose::transpose
  • >=0.1.0

Description

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

Advisory available under CC0-1.0 license.