{"id":"RUSTSEC-2021-0003","summary":"Buffer overflow in SmallVec::insert_many","details":"A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed.  It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.\n\nThis bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.\n \nThe flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted.  The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.\n\nThank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.","aliases":["CVE-2021-25900","GHSA-43w2-9j62-hq99"],"modified":"2023-11-01T04:54:46.749400Z","published":"2021-01-08T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/smallvec"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0003.html"},{"type":"REPORT","url":"https://github.com/servo/rust-smallvec/issues/252"}],"affected":[{"package":{"name":"smallvec","ecosystem":"crates.io","purl":"pkg:cargo/smallvec"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.6.3"},{"fixed":"0.6.14"},{"introduced":"1.0.0"},{"fixed":"1.6.1"}]}],"ecosystem_specific":{"affects":{"functions":["smallvec::SmallVec::insert_many"],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"categories":["memory-corruption"],"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0003.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}