rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
789aec01a39ab6c6bff23305d3f2bba91af59a2c
advisory-db/crates/lexical/RUSTSEC-2023-0055.md
Sergey "Shnatsel" Davidoff 789aec01a3 Lexical is maintained again, unsoundness is fixed
2024-09-15 06:58:17 +01:00

1.7 KiB
Raw Blame History 

[advisory]
id = "RUSTSEC-2023-0055"
package = "lexical"
date = "2023-09-03"
informational = "unsound"
references = ["https://github.com/Alexhuszagh/rust-lexical/issues/102", "https://github.com/Alexhuszagh/rust-lexical/issues/101", "https://github.com/Alexhuszagh/rust-lexical/issues/95", "https://github.com/Alexhuszagh/rust-lexical/issues/104"]
aliases = ["GHSA-c2hm-mjxv-89r4"]

[versions]
patched = [">= 7.0.0"]

Multiple soundness issues

lexical contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

The crate also has some correctness issues.

Alternatives

For quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of lexical has been merged into libcore.

For quickly parsing integers, consider atoi and btoi crates (100% safe code). atoi_radix10 provides even faster parsing, but only with -C target-cpu=native, and at the cost of some unsafe.

For formatting integers in a #[no_std] context consider the numtoa crate.

For working with big numbers consider num-bigint and num-traits.