CVE-2023-53156: transpose: Buffer overflow due to integer overflow
(updated )
Given the function transpose::transpose:
fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize)
The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len().
As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode.
Exploiting this issue requires the caller to pass input_width and input_height arguments such that multiplying them overflows, and the overflown result equals the lengths of input and output slices.
References
Code Behaviors & Features
Detect and mitigate CVE-2023-53156 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →