report unsoundness of lmdb-rs (#1724)

* report unsoundness of lmdb-rs * report unsoundness of lmdb-rs
2026-01-07 04:01:35 +01:00 · 2023-07-18 12:36:20 -04:00
parent 1d12a1c2e3
commit 782315865b
1 changed files with 15 additions and 0 deletions
--- a/crates/lmdb-rs/RUSTSEC-0000-0000.md
+++ b/crates/lmdb-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,15 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "lmdb-rs"
+date = "2023-06-26"
+informational = "unsound"
+url = "https://github.com/vhbit/lmdb-rs/issues/67"
+keywords = ["unsound"]
+
+[versions]
+patched = []
+```
+
+# impl `FromMdbValue` for bool is unsound
+The implementation of `FromMdbValue` have several unsoundness issues. First of all, it allows to reinterpret arbitrary bytes as a bool and could make undefined behavior happen with safe function. Secondly, it allows transmuting pointer without taking memory layout into consideration. The details of reproducing the bug were included in url above.