- Reported
-
- Issued
-
- Package
-
stackvector
(crates.io)
- Type
-
INFO
Unsound
- References
-
- Patched
-
Description
Affected versions of stackvector contained multiple soundness issues that could allow safe Rust code to trigger undefined behavior.
One issue was that StackVec::length was exposed as a public field. Safe Rust code could set length to a value larger than the backing array capacity. Other safe methods, including remove, pop, and truncate, relied on length before performing unsafe pointer operations (ptr::read, ptr::copy, offset/add). If length was corrupted by safe code, these methods could perform out-of-bounds pointer arithmetic, reads, writes, or copies.
The upstream maintainer also identified additional soundness issues, including the use of mem::uninitialized in StackVec::from_vec_unchecked, which was reachable through from_vec, and Miri violations related to MaybeUninit usage.
Version 2.0.0 was released to fix the known soundness issues.
Advisory available under CC0-1.0
license.