GHSA-jqcp-xc3v-f446: fast-float2 has a segmentation fault due to lack of bound check

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-jqcp-xc3v-f446

fast-float2 has a segmentation fault due to lack of bound check

Moderate severity GitHub Reviewed Published Jan 29, 2025 to the GitHub Advisory Database • Updated Jan 29, 2025

Package

cargo fast-float2 (Rust)

Affected versions

< 0.2.2

Description

In this case, the “fast_float2::common::AsciiStr::first” method within the “AsciiStr” struct
uses the unsafe keyword to reading from memory without performing bounds checking.
Specifically, it directly dereferences a pointer offset by "self.ptr".
Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input.
This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.

References

• aldanor/fast-float-rust#38
• https://rustsec.org/advisories/RUSTSEC-2025-0002.html
• Alexhuszagh/fast-float-rust#7

Published to the GitHub Advisory Database

Jan 29, 2025

Last updated

Jan 29, 2025

EPSS score