GHSA-h5j3-crg5-8jqm: orx-pinned-vec has undefined behavior in index_of_ptr with empty slices

October 21, 2025

The safe function index_of_ptr causes undefined behavior when called with an empty slice.

The issue occurs in the line ptr.add(slice.len() - 1) which underflows when slice.len() is 0, creating a pointer with a massive offset. According to Rust’s safety rules, creating such a pointer causes immediate undefined behavior.

References

github.com/advisories/GHSA-h5j3-crg5-8jqm
github.com/orxfun/orx-pinned-vec
github.com/orxfun/orx-pinned-vec/commit/4a4007a1aaff25cd417853c76163883a7110e276
github.com/orxfun/orx-pinned-vec/issues/52
github.com/orxfun/orx-pinned-vec/pull/53
rustsec.org/advisories/RUSTSEC-2025-0106.html

Code Behaviors & Features

Detect and mitigate GHSA-h5j3-crg5-8jqm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →