RUSTSEC-2020-0037
(unsound)
on 2020-08-31: Misbehaving
HandleLike implementation can lead to memory safety violation
RUSTSEC-2024-0018
on 2024-02-27: ObjectPool creates uninitialized memory when freeing objects
As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.
Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:
use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB
The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.
Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1
This crate has no reviews yet. To add a review, set up your cargo-crev.
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open crayon. Alternatively, you can download the tarball of crayon v0.7.1 or view the source online.
Unsafe code in
ObjectPoolhas time-of-check to time-of-use (TOCTOU) bug that can eventually lead to a memory safety violation.ObjectPoolandHandlePoolimplicitly assumes thatHandleLiketrait methods are pure, i.e., they always return the same value. However, this assumption is unsound sinceHandleLikeis a safe, public trait that allows a custom implementation.CVE-2020-35889
GHSA-m833-jv95-mfjh