OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-22 19:35:23 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
01ac699fd5f58db3a0b0cabcf0e5ec596d8420d0
advisory-db/crates/smallvec/RUSTSEC-2021-0003.md
Yechan Bae b724f12a5b Update CVE numbers (#777) 
* Update CVE numbers

* Fix RUSTSEC-2020-0093

* Add another alias for async-h1 crate
2021-02-25 20:00:25 -05:00

28 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

```toml
[advisory]
id = "RUSTSEC-2021-0003"
package = "smallvec"
aliases = ["CVE-2021-25900"]
date = "2021-01-08"
url = "https://github.com/servo/rust-smallvec/issues/252"
categories = ["memory-corruption"]
keywords = ["buffer-overflow", "heap-overflow", "unsound"]
[versions]
patched = [">= 0.6.14, < 1.0.0", ">= 1.6.1"]
unaffected = ["< 0.6.3"]
[affected]
functions = { "smallvec::SmallVec::insert_many" = [">= 0.6.3, < 0.6.14", ">= 1.0.0, < 1.6.1"] }
```
# Buffer overflow in SmallVec::insert_many
A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.
This bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.
The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.
Thank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Techs SSLab for finding and reporting this bug.
Reference in New Issue View Git Blame Copy Permalink