Fix Rust enum repr qualification

[9prady9]

Fixes #176

[Shnatsel]

Memory corruption is potentially a security issue. I've only skimmed the code, but it seems that a buffer overflow could happen because of incorrect in-memory representation of a field affecting the amount of memory to operate on.

Please add this issue to the Rust security advisory database so people could check if they're running a vulnerable version and upgrade.

[9prady9]

@Shnatsel Thank you for sharing it.

I am not quite sure how to present this as per rust-sec template because it doesn't ask at which verion of rust the issue starts to appear.

As per investigation reported on #176 , there doesn't seem to be any issue on crate versions 3.5.0 or earlier wtih Rust 1.27 or earlier. The issue appears from rust 1.28 and as per Rust's 1.28.0 release notes, it is the version where #[repr(transparent)] attribute was stabilized. I wonder if it has something to do with that. Additionally, this happened only with MSVC toolchain.

What do you think of this scenario ?

[Shnatsel]

Hmm, I'm not sure. @tarcieri what do you think?

[tarcieri]

@9prady9 is correct we presently have no way to file advisories which only apply to certain Rust versions.

Failing that however, you can just file the advisory for all impacted versions of the crate, regardless of the Rust version. Users of Rust versions older than 1.28 may see a "false positive", but since it seems to impact all versions going forward I'm not sure how much that matters.

[9prady9]

So, what do you guys suggest ?

[tarcieri]

File an advisory and include information about the impacted Rust version in the description. It may cause some false positives, but I think that's the best you can do for now.