- Reported
-
- Issued
-
- Package
-
zerovec-derive
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- Patched
-
>=0.10.3>=0.9.7, <0.10.0
Description
The affected versions make unsafe memory accesses under the assumption that #[repr(packed)] has a guaranteed field order.
The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
reordering fields of #[repr(packed)] structs, leading to illegal memory accesses.
The patched versions 0.9.7 and 0.10.3 use #[repr(C, packed)], which guarantees field order.
Advisory available under CC0-1.0
license.