Buffer overflow due to integer overflow

[caibear]

[dependencies]
transpose = "0.2.2"

fn main() {
    let input = [0];
    let mut output = input;
    let width = (1 << (usize::BITS - 1)) + 1;
    let height = width;
    transpose::transpose(&input, &mut output, width, height);
}

This panics on integer overflow in debug mode but results in a segmentation fault in release mode since overflows checks are off.

Current safety checks (fail on integer overflow):

assert_eq!(input_width*input_height, input.len());
assert_eq!(input_width*input_height, output.len());

Possible new safety checks (catch integer overflow):

let area = input_width.checked_mul(input_height).expect("area overflow");
assert_eq!(area, input.len());
assert_eq!(area, output.len());

Also transpose_inplace uses similar checks but doesn't have any unsafe.

[Shnatsel]

Heads up: this issue has been included in the RustSec advisory database. It will be surfaced by tools such as cargo-audit or Dependabot from now on.

Once a fix is released to crates.io, please open a pull request to update the advisory with the patched version, or file an issue on the advisory database repository.

[torokati44]

As a result, this now soft-fails our CI over here: https://github.com/ruffle-rs/ruffle/actions/runs/7958150609/job/21722385471

Can we expect a fix for this in the near future? Would a PR with the fix suggested above help?

[ejmahler]

Thanks for reporting. The inline version doesn't use unsafe, but I replaced the raw multiplication with a checked multiplication there too.

[Shnatsel]

Thank you!

Please let me know once the fix is published to crates.io, and I'll update the security advisory with the fixed version.

[ejmahler]

https://crates.io/crates/transpose/0.2.3

Thanks to @caibear for reporting, thanks to @torokati44 and @Shnatsel for notifying me of impacts/consequences of the bug.

[Shnatsel]

Added patched version to the advisory in rustsec/advisory-db#1897. Thanks!