Add non-informational crayon advisory (#1900)

* Add second crayon advisory The crate already has an informational advisory, and this is clearly a separate issue despite affecting the same code. * Adjust language to not imply intent w/ clippy The warning silence was in a big pile of other changes and not necessarily done with intent to hide the issue.
2026-01-05 11:10:38 +01:00 · 2024-02-29 19:25:45 -08:00
parent 38776a740d
commit 2c791341a0
1 changed files with 40 additions and 0 deletions
--- a/crates/crayon/RUSTSEC-0000-0000.md
+++ b/crates/crayon/RUSTSEC-0000-0000.md
@@ -0,0 +1,40 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "crayon"
+date = "2024-02-27"
+url = "https://github.com/shawnscode/crayon/issues/109"
+categories = ["memory-corruption"]
+keywords = ["std::mem::uninitialized", "address-sanitizer"]
+
+[versions]
+patched = []
+unaffected = ["< 0.6.0"]
+[affected]
+functions = { "crayon::utils::object_pool::ObjectPool<H,T>::free" = [">=0.6.0"] }
+```
+
+# ObjectPool creates uninitialized memory when freeing objects
+
+As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its
+type parameter when it attempts to free an object, and swaps it into the storage. This
+causes instant undefined behavior due to reading the uninitialized memory in order to
+write it to the pool storage.
+
+Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:
+
+```rust
+use crayon::prelude::*;
+application::oneshot().unwrap();
+
+let mut params = MeshParams::default();
+
+let mesh = video::create_mesh(params, None).unwrap();
+
+// Deletes the mesh object.
+video::delete_mesh(mesh); // <-- UB
+```
+
+The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.
+
+Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1