Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

DecompressScanlines::read_scanlines is unsound #10

Closed
HeroicKatora opened this issue Jul 3, 2020 · 2 comments
Closed

DecompressScanlines::read_scanlines is unsound #10

HeroicKatora opened this issue Jul 3, 2020 · 2 comments

Comments

@HeroicKatora
Copy link

HeroicKatora commented Jul 3, 2020
edited
Loading

https://docs.rs/mozjpeg/0.8.17/mozjpeg/decompress/struct.DecompressStarted.html#method.read_scanlines

This method will write arbitrary, user controlled bytes into a slice of T: Copy. This can lead to invalid instances of T to be returned. Same reason as rgb but without the 'static bound so a little different. This can be used to decode scanlines into a Vec<&'static u8> or something along those lines and dereference some arbitrary memory with a crafted input file. No writable variant this time.
@Shnatsel Shnatsel mentioned this issue Jul 3, 2020
Closed
5 tasks
@kornelski
Copy link
Member

kornelski commented Jul 5, 2020
edited
Loading

Thanks. It's going to be plain crate again. I'm waiting for randomites/plain#6 because I've noticed that crate has a big omission in impls.

kornelski added a commit that referenced this issue Jul 6, 2020
@kornelski
Use safe pixel types
9762393 
#10
@kornelski
Copy link
Member

Fixed in 0.8.19

@pinkforest pinkforest mentioned this issue Aug 27, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kornelski @HeroicKatora