Advisories for Cargo/Array-Macro package

2022

`array!` macro is unsound when its length is impure constant

Affected versions of this crate did substitute the array length provided by an user at compile-time multiple times. When an impure constant expression is passed as an array length (such as a result of an impure procedural macro), this can result in the initialization of an array with uninitialized types, which in turn can allow an attacker to execute arbitrary code. The flaw was corrected in commit d5b63f72 by making …

`array!` macro is unsound in presence of traits that implement methods it calls internally

Affected versions of this crate called some methods using auto-ref. The affected code looked like this. let mut arr = $crate::__core::mem::MaybeUninit::uninit(); let mut vec = $crate::__ArrayVec::<T>::new(arr.as_mut_ptr() as *mut T); In this case, the problem is that as_mut_ptr is a method of &mut MaybeUninit, not MaybeUninit. This made it possible for traits to hijack the method calls in order to cause unsoundness. trait AsMutPtr<T> { fn as_mut_ptr(&self) -> *mut T; } …