- Reported
-
- Issued
-
- Package
-
id-map
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#memory-safety
#uninitialized-memory
- References
-
- Patched
-
- Unaffected
-
- Affected Functions
- Version
id_map::IdMap::from_iter-
Description
Due to a flaw in the constructor id_map::IdMap::from_iter, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of IdMap. Specifically, the field ids is initialized based on the capacity of the vector values, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.
In such cases, when the resulting IdMap is dropped, its destructor incorrectly assumes that values contains ids.len() == values.capacity() initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.
The bug was fixed in commit fab6922, and all unsafe code was removed from the crate.
Note that the maintainer recommends using the following alternatives:
Advisory available under CC0-1.0
license.