Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5gmm-6m36-r7jh. This link is maintained to preserve external references. Original Description The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments.
Given the function transpose::transpose: fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize) The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode. …
Given the function transpose::transpose: fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize) The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode. …