Closed caibear closed 6 months ago
Thank you!
I've taken the liberty of editing the advisory directly to fix the affected
specification and add a line about the circumstances under which it is exploitable. Please let me know if I misunderstood anything.
@alex do you agree we should downgrade this to a warning with informational = "unsound"
? I have a hard time imagining an attacker managing to get mismatching buffer lengths passed just by manipulating the inputs in a reasonable program.
I would not downgrade it -- since this is a general purpose utility crate, it can be used in many many places, and this really only requires particular data, it doesn't require you to have written particularly unlikely code.
I believe the size of the output buffer not matching the input buffer in a carefully crafted way would be caused by unlikely code, and not unlikely input data. But if you still disagree, then let me know and I'll merge it as is.
Personally I'd rather be conservative and not "hide" vulnerabilities that plausibly can occur without unusual code.
I haven't used this crate myself, so perhaps I'm not familiar with the idioms of how it's generally used, but it seems possible to me.
Actually the input and output buffers have to be the same size (or it will panic). The issue is that input_width * input_height can overflow causing data outside input to be copied to outside output.
I would change the circumstances to:
Exploiting this issue requires the caller to pass input_width and input_height in which multiplying them overflows and equals the length of input and output.
Ah, I see I misunderstood. Thank you for the clarification!
@alex I agree this is more serious than I thought, I'll keep it as a vulnerability advisory. Thanks!
1845