Merge pull request #259 from eduardosm/flatbuffers

Add advisory for flatbuffers
2026-01-02 09:36:40 +01:00 · 2020-04-14 07:39:49 -07:00
parent eaa3243b39 4399b9e310
commit 893cf52c6c
1 changed files with 32 additions and 0 deletions
--- a/crates/flatbuffers/RUSTSEC-0000-0000.toml
+++ b/crates/flatbuffers/RUSTSEC-0000-0000.toml
@@ -0,0 +1,32 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "flatbuffers"
+date = "2020-04-11"
+title = "`read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks"
+url = "https://github.com/google/flatbuffers/issues/5825"
+description = """
+The `read_scalar` and `read_scalar_at` functions are unsound
+because they allow transmuting values without `unsafe` blocks.
+
+The following example shows how to create a dangling reference:
+
+```
+fn main() {
+    #[derive(Copy, Clone, PartialEq, Debug)]
+    struct S(&'static str);
+    impl flatbuffers::EndianScalar for S {
+        fn to_little_endian(self) -> Self { self }
+        fn from_little_endian(self) -> Self { self }
+    }
+    println!("{:?}", flatbuffers::read_scalar::<S>(&[1; std::mem::size_of::<S>()]));
+}
+```
+"""
+
+[affected.functions]
+"flatbuffers::read_scalar" = [">= 0.4.0"]
+"flatbuffers::read_scalar_at" = [">= 0.4.0"]
+
+[versions]
+patched = []
+unaffected = ["< 0.4.0"]