Описание
transpose: Buffer overflow due to integer overflow
Given the function transpose::transpose:
The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
Пакеты
transpose
>= 0.1.0, < 0.2.3
0.2.3
Связанные уязвимости
The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments.
The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments.
The transpose crate before 0.2.3 for Rust allows an integer overflow v ...