Reported

October 31, 2024

Issued

November 9, 2024

Package

fast-float (crates.io)

Type

INFO Unsound

References

• https://github.com/aldanor/fast-float-rust/issues/35
• https://github.com/aldanor/fast-float-rust/issues/28
• https://github.com/aldanor/fast-float-rust/issues/37

Patched

no patched versions

Description

fast-float contains multiple soundness issues:

1. Undefined behavior when checking input length, which has been merged but no package pubished.
2. Many functions marked as safe with non-local safety guarantees

The library is also unmaintained.

Alternatives

For quickly parsing floating-point numbers third-party crates are generally no longer needed. A fast float parsing algorithm by the author of lexical has been merged into libcore. When requiring direct parsing from bytes and/or partial parsers, the fast-float2 fork of fast-float containing these security patches and reduces overall usage of unsafe.

Advisory available under CC0-1.0 license.