Code reviews of the Grcov crate // Lib.rs

RUSTSEC-2025-0005 on 2025-01-13: Out of bounds write triggered by crafted coverage data

Function grcov::covdir::get_coverage uses the unsafe function get_unchecked_mut without validating that the index is in bounds.

This results in memory corruption, and could potentially allow arbitrary code execution provided that an attacker can feed the tool crafted coverage data.

This crate has no reviews yet. To add a review, set up your cargo-crev.

Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository with a git tag matching the version. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open grcov. Alternatively, you can download the tarball of grcov v0.8.20 or view the source online.