Headline
GHSA-5gmm-6m36-r7jh: transpose: Buffer overflow due to integer overflow
Given the function transpose::transpose:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
Given the function transpose::transpose:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
References
- ejmahler/transpose#11
- ejmahler/transpose@c4bcd39
- https://rustsec.org/advisories/RUSTSEC-2023-0080.html