x/vulndb: potential Go vuln in github.com/crossbeam-rs/crossbeam: CVE-2020-15254 #2284
Labels
excluded: LEGACY_FALSE_POSITIVE
(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
CVE-2020-15254 references github.com/crossbeam-rs/crossbeam, which may be a Go module.
Description:
Crossbeam is a set of tools for concurrent programming. In crossbeam-channel before version 0.4.4, the bounded channel incorrectly assumes that
Vec::from_iter
has allocated capacity that same as the number of iterator elements.Vec::from_iter
does not actually guarantee that and may allocate extra memory. The destructor of thebounded
channel reconstructsVec
from the raw pointer based on the incorrect assumes described above. This is unsound and causing deallocation with the incorrect capacity whenVec::from_iter
has allocated different sizes with the number of iterator elements. This has been fixed in crossbeam-channel 0.4.4.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: