Lucene search

K
osvGoogleOSV:RUSTSEC-2023-0080
HistoryDec 18, 2023 - 12:00 p.m.

Buffer overflow due to integer overflow in `transpose`

2023-12-1812:00:00
Google
osv.dev
6
buffer overflow
integer overflow
rust programming

7.5 High

AI Score

Confidence

High

Given the function transpose::transpose:

fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)

The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.

Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.

CPENameOperatorVersion
transposelt0.2.3

7.5 High

AI Score

Confidence

High