Skip to content

Multiple soundness issues in lexical

Low severity GitHub Reviewed Published Sep 4, 2023 to the GitHub Advisory Database • Updated Sep 16, 2024

Package

cargo lexical (Rust)

Affected versions

<= 6.1.1

Patched versions

7.0.0

Description

lexical contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

The crate also has some correctness issues.

Alternatives

For quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of lexical has been merged into libcore.

For quickly parsing integers, consider atoi and btoi crates (100% safe code). atoi_radix10 provides even faster parsing, but only with -C target-cpu=native, and at the cost of some unsafe.

For formatting integers in a #[no_std] context consider the numtoa crate.

For working with big numbers consider num-bigint and num-traits.

References

Published to the GitHub Advisory Database Sep 4, 2023
Reviewed Sep 4, 2023
Last updated Sep 16, 2024

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-c2hm-mjxv-89r4
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.