-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overflow in insert_many()
#252
Buffer overflow in insert_many()
#252
Comments
Thanks for the report! I have submitted a fix in #254. I can submit a RustSec advisory after the fixed version is released, or if you would like to write the advisory, that would be fine too. |
I believe the bug is older than that. Passing 0 as |
I agree that that commit introduced the bug. Thank you for the quick fix! |
Fix potential buffer overflow in `insert_many` Fixes #252.
Fixed in smallvec 0.6.14 and 1.6.1. RustSec advisory submitted in rustsec/advisory-db#552. |
Fixes a buffer overflow: servo/rust-smallvec#252. `spinoso-array` is not impacted because it does not use the vulnerable `SmallVec::insert_many` API.
2506: chore(deps): bump smallvec from 0.6.13 / 1.3.0 to 0.6.14 / 1.6.1 to fix RUSTSEC-2021-0003 r=driftluo,zhangsoledad a=yangby-cryptape Ref: - [RUSTSEC-2021-0003: smallvec: Buffer overflow in SmallVec::insert_many](https://rustsec.org/advisories/RUSTSEC-2021-0003.html) - [Rust-SmallVec Issue-252: Buffer overflow in `insert_many()](servo/rust-smallvec#252) Co-authored-by: Boyu Yang <yangby@cryptape.com>
There was a vulnerability found in smallvec as described in: * servo/rust-smallvec#252 * rustsec/advisory-db#552 This patch update the package version to 1.6 which is deemed safe to use. Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
There was a vulnerability found in smallvec as described in: * servo/rust-smallvec#252 * rustsec/advisory-db#552 This patch update the package version to 1.6.1 which is deemed safe to use. Signed-off-by: Fintan Halpenny <fintan.halpenny@gmail.com>
Hello fellow Rustacean,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
rust-smallvec/src/lib.rs
Lines 1009 to 1070 in 9cf1176
insert_many()
overflows the buffer when an iterator yields more items than the lower bound ofsize_hint()
.The problem is in line 1044.
reserve(n)
reserves capacity forn
more elements to be inserted. This is done by comparing the length and the capacity. Since the length of the buffer is set to 0 in line 1032, line 1044 will be always no-op and the following code will overflow the buffer.Reproduction
Below is an example program that exhibits undefined behavior using safe APIs of
smallvec
.Output:
Tested Environment
The text was updated successfully, but these errors were encountered: