GHSA-5m39-wx2q-mxg3: Invalid use of `mem::uninitialized` causes `use-of-uninitialized-value`

November 8, 2022

The compression and decompression function used mem:uninitialized to create an array of uninitialized values, to later write values into it. This later leads to reads from uninitialized memory.

The flaw was corrected in commit b633bf265e41c60dfce3be7eac4e4dd5e18d06cf by using a heap-allocated Vec and removing out use of mem::uninitialized. The fix was released in v0.3.2 and v1.0.0

Subsequently, the crate was deprecated and its use is discouraged.

References

github.com/advisories/GHSA-5m39-wx2q-mxg3
github.com/badboy/lzf-rs
github.com/badboy/lzf-rs/commit/b633bf265e41c60dfce3be7eac4e4dd5e18d06cf
github.com/badboy/lzf-rs/issues/9
rustsec.org/advisories/RUSTSEC-2022-0067.html

Code Behaviors & Features

Detect and mitigate GHSA-5m39-wx2q-mxg3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →