unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race

Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...

move_elements can double-free objects on panic

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...

GHSA-3QM2-RFQW-FMRW move_elements can double-free objects on panic

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...

RUSTSEC-2021-0032 Deserializing an array can drop uninitialized memory on panic

The readbytesdefaultle function for T; n arrays, used to deserialize arrays of T from bytes created a T; n array with std::mem::uninitialized and then called T's deserialization method. If T's deserialization method panicked, the uninitialized memory could drop invalid objects. This flaw was...

Deserializing an array can drop uninitialized memory on panic

The readbytesdefaultle function for T; n arrays, used to deserialize arrays of T from bytes created a T; n array with std::mem::uninitialized and then called T's deserialization method. If T's deserialization method panicked, the uninitialized memory could drop invalid objects. This flaw was...

move_elements can double-free objects on panic

Affected versions of scratchpad used ptr::read to read elements while calling a user provided function f on them. Since the pointer read duplicates ownership, a panic inside the user provided f function could cause a double free when unwinding. The flaw was fixed in commit 891561bea by removing t...

RUSTSEC-2021-0029 Tape::take_bytes exposes uninitialized memory to a user-provided Read

Affected versions of this crate passed an unininitialized buffer to a user-provided Read instance in Tape::takebytes. This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior. The flaw was corrected in commit 1f2dc7f37dd by removing the unsa...