rustsec-2025-0164
Vulnerability from osv_rustsec
Published
2025-04-24 12:00
Modified
2026-06-23 11:22
Summary
`DTriangle` accessors may read out of bounds in affected versions
Details
In affected versions, DTriangle::neighbor_by_order and DTriangle::vertex_by_order were public safe functions that accepted an
arbitrary order value. These functions used order to access fixed-size internal arrays with get_unchecked, without checking whether order was within bounds. Calling these methods with an out-of-bounds order could cause an out-of-bounds read from safe Rust code. This made the old APIs unsound, since safe callers could trigger undefined behavior without using unsafe.
The issue was fixed in version 0.29.0 as part of a broader rewrite that replaced the old triangle implementation with IntTriangle and removed the affected accessor methods.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"i_triangle::delaunay::triangle::DTriangle::neighbor_by_order",
"i_triangle::delaunay::triangle::DTriangle::vertex_by_order"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "i_triangle",
"purl": "pkg:cargo/i_triangle"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.29.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "In affected versions, `DTriangle::neighbor_by_order` and `DTriangle::vertex_by_order` were public safe functions that accepted an\narbitrary `order` value. These functions used `order` to access fixed-size internal arrays with `get_unchecked`, without checking whether `order` was within bounds. Calling these methods with an out-of-bounds `order` could cause an out-of-bounds read from safe Rust code. This made the old APIs unsound, since safe callers could trigger undefined behavior without using `unsafe`.\n\nThe issue was fixed in version `0.29.0` as part of a broader rewrite that replaced the old triangle implementation with `IntTriangle` and removed the affected accessor methods.",
"id": "RUSTSEC-2025-0164",
"modified": "2026-06-23T11:22:47Z",
"published": "2025-04-24T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/i_triangle"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0164.html"
},
{
"type": "REPORT",
"url": "https://github.com/iShape-Rust/iTriangle/issues/4"
},
{
"type": "WEB",
"url": "https://github.com/iShape-Rust/iTriangle/commit/13e0e9f4d5333e3a815191e5f6f402641997f91b"
}
],
"related": [],
"severity": [],
"summary": "`DTriangle` accessors may read out of bounds in affected versions"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…