Description
This issue was previously reported privately and is now being disclosed following coordination with maintainers.
BufferBuilder::reserve() computes self.len + additional without overflow checking. When the sum wraps, the capacity check may pass without reallocation, leading to an inconsistent internal state.
This can result in a potential out-of-bounds write via safe Rust APIs.
append_n_zeroed() and advance() are also affected, as both call reserve() through extend_zeros().
Fix
See PR #9820
Reported by Sungjin Kim (@ksj1230)
Description
This issue was previously reported privately and is now being disclosed following coordination with maintainers.
BufferBuilder::reserve()computesself.len + additionalwithout overflow checking. When the sum wraps, the capacity check may pass without reallocation, leading to an inconsistent internal state.This can result in a potential out-of-bounds write via safe Rust APIs.
append_n_zeroed()andadvance()are also affected, as both callreserve()throughextend_zeros().Fix
See PR #9820
Reported by Sungjin Kim (@ksj1230)