RUSTSEC-2025-0005

Out of bounds write triggered by crafted coverage data

Reported

January 13, 2025

Issued

February 10, 2025

Package

grcov (crates.io)

Type

Vulnerability

Categories

memory-corruption

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1917475

Patched

>0.8.20

Affected Functions

Version

grcov::covdir::get_coverage

<=0.8.20

Description

Function grcov::covdir::get_coverage uses the unsafe function get_unchecked_mut without validating that the index is in bounds.

This results in memory corruption, and could potentially allow arbitrary code execution provided that an attacker can feed the tool crafted coverage data.

Advisory available under CC0-1.0 license.