Reported

April 24, 2025

Issued

June 23, 2026

Package

i_triangle (crates.io)

Type

INFO Unsound

References

• https://github.com/iShape-Rust/iTriangle/issues/4
• https://github.com/iShape-Rust/iTriangle/commit/13e0e9f4d5333e3a815191e5f6f402641997f91b

Patched

• >=0.29.0

Affected Functions

Version

i_triangle::delaunay::triangle::DTriangle::neighbor_by_order

• >=0.24.0
• <0.29.0

i_triangle::delaunay::triangle::DTriangle::vertex_by_order

• >=0.24.0
• <0.29.0

Description

In affected versions, DTriangle::neighbor_by_order and DTriangle::vertex_by_order were public safe functions that accepted an arbitrary order value. These functions used order to access fixed-size internal arrays with get_unchecked, without checking whether order was within bounds. Calling these methods with an out-of-bounds order could cause an out-of-bounds read from safe Rust code. This made the old APIs unsound, since safe callers could trigger undefined behavior without using unsafe.

The issue was fixed in version 0.29.0 as part of a broader rewrite that replaced the old triangle implementation with IntTriangle and removed the affected accessor methods.

Advisory available under CC0-1.0 license.