Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01Z21tLTZtMzYtcjdqaM4AA6qS
transpose: Buffer overflow due to integer overflow
Given the function transpose::transpose:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Z21tLTZtMzYtcjdqaM4AA6qS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 29 days ago
Updated: 29 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5gmm-6m36-r7jh
References:
- https://github.com/ejmahler/transpose/issues/11
- https://github.com/ejmahler/transpose/commit/c4bcd39fabca9a31a401d0cc42d4090869b5a37a
- https://rustsec.org/advisories/RUSTSEC-2023-0080.html
- https://github.com/advisories/GHSA-5gmm-6m36-r7jh
Blast Radius: 28.5
Affected Packages
cargo:transpose
Dependent packages: 19Dependent repositories: 816
Downloads: 2,045,630 total
Affected Version Ranges: >= 0.1.0, < 0.2.3
Fixed in: 0.2.3
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2
All unaffected versions: 0.2.3