GHSA-h7h7-6mx3-r89v: Fyrox has unsound usages of `Vec::from_raw_parts`

February 14, 2025

The library provides a public safe API transmute_vec_as_bytes, which incorrectly assumes that any generic type T could have stable layout, causing to uninitialized memory exposure if the users pass any types with padding bytes as T and cast it to u8 pointer.

In the issue, we develop a PoC to show passing struct type to transmute_vec_as_bytes could lead to undefined behavior with Vec::from_raw_parts.

References

github.com/FyroxEngine/Fyrox
github.com/FyroxEngine/Fyrox/commit/474e3b01a884366cdb7d704f7456ef692e992232
github.com/FyroxEngine/Fyrox/issues/630
github.com/FyroxEngine/Fyrox/pull/662
github.com/advisories/GHSA-h7h7-6mx3-r89v
rustsec.org/advisories/RUSTSEC-2024-0435.html

Code Behaviors & Features

Detect and mitigate GHSA-h7h7-6mx3-r89v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →