Skip to content

ferris-says has undefined behavior when not using UTF-8

Low severity GitHub Reviewed Published Jan 17, 2024 to the GitHub Advisory Database • Updated Jan 17, 2024

Package

cargo ferris-says (Rust)

Affected versions

>= 0.1.2, <= 0.2.1
>= 0.3.0, < 0.3.1

Patched versions

0.3.1

Description

Affected versions receive a &[u8] from the caller through a safe API, and pass it directly to the unsafe str::from_utf8_unchecked function.

The behavior of ferris_says::say is undefined if the bytes from the caller don't happen to be valid UTF-8.

The flaw was corrected in ferris-says#21 by using the safe str::from_utf8 instead, and returning an error on invalid input. However this fix has not yet been published to crates.io as a patch version for 0.2.

Separately, ferris-says#32 has introduced a different API for version 0.3 which accepts input as &str rather than &[u8], so is unaffected by this bug.

References

Published to the GitHub Advisory Database Jan 17, 2024
Reviewed Jan 17, 2024
Last updated Jan 17, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-v363-rrf2-5fmj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.