RUSTSEC-2024-0426 (unsound) on 2024-12-19: Unsound usages of u8 type casting

The library provides a safe public API unpack to cast u8 array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when casting u8 pointer to a type aligned to larger bytes. For example, if we assign u16 to T, misaligned raw pointer dereference could happen and cause to panic. Even if we pass the type aligned to same byte as u8 (e.g., bool), it could construct a illegal type since bool can only have 0 or 1 as bit patterns, which is also an undefined behavior. The further exploits of the bug here are still not clear, so we would report this issue as unsound.

The details of PoC to reproduce undefined behavior are provided in the issue.

This crate has no reviews yet. To add a review, set up your cargo-crev.


Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open spl-token-swap. Alternatively, you can download the tarball of spl-token-swap v3.0.0 or view the source online.