- Reported
-
- Issued
-
- Package
-
ruzstd
(crates.io)
- Type
-
Vulnerability
- Categories
-
- References
-
- Patched
-
- Unaffected
-
Description
Affected versions of ruzstd
miscalculate the length of the allocated
and init section of its internal RingBuffer
, leading to uninitialized
or out-of-bounds reads in copy_bytes_overshooting
of up to 15 bytes.
This may result in up to 15 bytes of memory contents being written
into the decoded data when decompressing a crafted archive.
This may occur multiple times per archive.
Advisory available under CC0-1.0
license.