CVE-2021-29941: Out of bounds write in reorder

August 25, 2021 (updated June 13, 2023)

swap_index takes an iterator and swaps the items with their corresponding indexes. It reserves capacity and sets the length of the vector based on the .len() method of the iterator.

If the len() returned by the iterator is larger than the actual number of elements yielded, then swap_index creates a vector containing uninitialized members. If the len() returned by the iterator is smaller than the actual number of members yielded, then swap_index can write out of bounds past its allocated vector.

As noted by the Rust documentation, len() and size_hint() are primarily meant for optimization and incorrect values from their implementations should not lead to memory safety violations.

References

Code Behaviors & Features

Detect and mitigate CVE-2021-29941 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →