Description
This issue was previously reported privately and is now being disclosed following coordination with maintainers.
repeat_slice_n_times() computes repeated byte length using unchecked arithmetic.
When the multiplication overflows, capacity checks may be bypassed, leading to insufficient allocation.
This can result in a potential out-of-bounds write via safe Rust APIs.
Fix
See PR #9819
Reported by Sungjin Kim (@ksj1230)
Description
This issue was previously reported privately and is now being disclosed following coordination with maintainers.
repeat_slice_n_times()computes repeated byte length using unchecked arithmetic.When the multiplication overflows, capacity checks may be bypassed, leading to insufficient allocation.
This can result in a potential out-of-bounds write via safe Rust APIs.
Fix
See PR #9819
Reported by Sungjin Kim (@ksj1230)