Skip to content

Commit

Permalink
Fix patched zerovec-derive version (#2007)
Browse files Browse the repository at this point in the history 
We accidentally proposed the wrong version here.

zerovec 0.10.4 and zerovec-derive 0.10.3 are patched.
  • Loading branch information
@Manishearth
Manishearth committed Jul 8, 2024
1 parent 6a846de commit 502a1ba
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions crates/zerovec-derive/RUSTSEC-2024-0346.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ date = "2024-07-01"
categories = ["memory-corruption"]

[versions]
patched = [">= 0.10.4", ">= 0.9.7, <0.10.0"]
patched = [">= 0.10.3", ">= 0.9.7, <0.10.0"]
```

# Incorrect usage of `#[repr(packed)]`
Expand All @@ -16,4 +16,4 @@ The affected versions make unsafe memory accesses under the assumption that `#[r
The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
reordering fields of `#[repr(packed)]` structs, leading to illegal memory accesses.

The patched versions `0.9.7` and `0.10.4` use `#[repr(C, packed)]`, which guarantees field order.
The patched versions `0.9.7` and `0.10.3` use `#[repr(C, packed)]`, which guarantees field order.

0 comments on commit 502a1ba

Please sign in to comment.