- Reported
-
- Issued
-
- Package
-
array-queue
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#memory-safety
#panic-safety
#uninitialized-memory
- References
-
- Patched
-
- Unaffected
-
- Affected Functions
- Version
array_queue::ArrayQueue::push_front
-
Description
The safe API array_queue::ArrayQueue::push_front
can lead to deallocating uninitialized memory if a panic occurs while invoking the clone
method on the passed argument.
Specifically, push_front
receives an argument that is intended to be cloned and pushed, whose type implements the Clone
trait. Furthermore, the method updates the queue's start
index before initializing the slot for the newly pushed element. User-defined implementations of Clone
may include a clone
method that can panic. If such a panic occurs during initialization, the structure is left with an advanced start
index pointing to an uninitialized slot. When ArrayQueue
is later dropped, its destructor treats that slot as initialized and attempts to drop it, resulting in an attempt to free uninitialized memory.
The bug was fixed in commit 728fe1b
.
Advisory available under CC0-1.0
license.