Deserialization functions pass uninitialized memory to user-provided Read · GHSA-m325-rxjv-pwph · GitHub Advisory Database · GitHub

Deserialization functions pass uninitialized memory to user-provided Read

High severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

messagepack-rs (Rust)

Affected versions

<= 0.8.1

Patched versions

None

Description

Affected versions of this crate passed an uninitialized buffer to a
user-provided Read instance in:

deserialize_binary
deserialize_string
deserialize_extension_others
deserialize_string_primitive

This can result in safe Read implementations reading from the uninitialized
buffer leading to undefined behavior.

References

Published to the GitHub Advisory Database Jun 17, 2022

Reviewed Jun 17, 2022

Last updated Jun 13, 2023