Skip to content

Commit

Permalink
Add advisory for segmentation fault in fast-float and fast-float2 (#2192
Browse files Browse the repository at this point in the history 
)

* Add advisory for segmentation fault in fast-float

* Add advisory for segmentation fault in fast-float2

* Note that access is read-only and that a patch is available

* Same for fast-float2

---------

Co-authored-by: Sergey "Shnatsel" Davidoff <[email protected]>
  • Loading branch information
@nyw0102 @Shnatsel
nyw0102 and Shnatsel authored Jan 29, 2025
1 parent ffa2670 commit d728ab3
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 0 deletions.
22 changes: 22 additions & 0 deletions crates/fast-float/RUSTSEC-0000-0000.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "fast-float"
date = "2025-01-13"
url = "https://github.com/aldanor/fast-float-rust/issues/38"
categories = ["memory-exposure"]

[affected]
functions = { "fast_float::common::AsciiStr::first" = ["*"] }

[versions]
patched = []
```
# Segmentation fault due to lack of bound check
In this case, the "fast_float::common::AsciiStr::first" method within the "AsciiStr" struct
uses the unsafe keyword to reading from memory without performing bounds checking.
Specifically, it directly dereferences a pointer offset by "self.ptr".
Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input.
This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.

No patched version for fast-float crate has been released, but a patch is available in the fast-float2 fork.
20 changes: 20 additions & 0 deletions crates/fast-float2/RUSTSEC-0000-0000.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "fast-float2"
date = "2025-01-13"
url = "https://github.com/aldanor/fast-float-rust/issues/38"
categories = ["memory-exposure"]

[affected]
functions = { "fast_float2::common::AsciiStr::first" = ["<0.2.2"] }

[versions]
patched = [">=0.2.2"]
```
# Segmentation fault due to lack of bound check
In this case, the "fast_float2::common::AsciiStr::first" method within the "AsciiStr" struct
uses the unsafe keyword to reading from memory without performing bounds checking.
Specifically, it directly dereferences a pointer offset by "self.ptr".
Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input.
This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.

0 comments on commit d728ab3

Please sign in to comment.