Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5gmm-6m36-r7jh: transpose: Buffer overflow due to integer overflow

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

ghsa
Open in Source
#buffer_overflow

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

References

  • ejmahler/transpose#11
  • ejmahler/transpose@c4bcd39
  • https://rustsec.org/advisories/RUSTSEC-2023-0080.html

ghsa: Latest News

GHSA-62r2-gcxr-426x: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
ghsa