mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2026-01-06 03:29:45 +01:00
28 lines
813 B
Markdown
28 lines
813 B
Markdown
```toml
|
|
[advisory]
|
|
id = "RUSTSEC-2021-0033"
|
|
package = "stack_dst"
|
|
aliases = ["CVE-2021-28034", "CVE-2021-28035"]
|
|
date = "2021-02-22"
|
|
url = "https://github.com/thepowersgang/stack_dst-rs/issues/5"
|
|
categories = ["memory-corruption"]
|
|
keywords = ["memory-safety", "double-free"]
|
|
|
|
[versions]
|
|
patched = [">= 0.6.1"]
|
|
|
|
[affected]
|
|
functions = { "stack_dst::StackA::push_cloned" = ["< 0.6.1"] }
|
|
```
|
|
|
|
# push_cloned can drop uninitialized memory or double free on panic
|
|
|
|
Affected versions of `stack_dst` used a `push_inner` function that increased
|
|
the internal length of the array and then called `val.clone()`.
|
|
|
|
If the `val.clone()` call panics, the stack could drop an already dropped
|
|
element or drop uninitialized memory.
|
|
|
|
This issue was fixed in `2a4d538` by increasing the length of the array after
|
|
elements are cloned.
|