Skip to content

Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`

Moderate severity GitHub Reviewed Published Nov 8, 2022 to the GitHub Advisory Database • Updated Aug 25, 2023

Package

cargo lzf (Rust)

Affected versions

< 0.3.2

Patched versions

0.3.2

Description

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently, the crate was deprecated and its use is discouraged.

References

Published to the GitHub Advisory Database Nov 8, 2022
Reviewed Nov 8, 2022
Last updated Aug 25, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-5m39-wx2q-mxg3

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.