{"id":"RUSTSEC-2021-0027","summary":"Loading a bgzip block can write out of bounds if size overflows.","details":"Affected versions of `bam` set the length of an internal buffer using\n`self.compressed.set_len(block_size - HEADER_SIZE - MIN_EXTRA_SIZE)` and then\nwrote into it. While `block_size` was constrained to a proper maximum, when it\nwas too small the subtraction could overflow negatively to a large number past\nthe capacity of `self.compressed`.\n\nThis can result in memory corruption in the form of writing out of bounds when\nloading a `bgzip` file with a small `block_size`.\n\nCommit `061eee38d4` fixed this issue by checking for the underflow when setting\nthe buffer size.","aliases":["CVE-2021-28027","GHSA-cpqj-r29q-chrh"],"modified":"2023-11-08T04:05:27.546593Z","published":"2021-01-07T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/bam"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0027.html"},{"type":"REPORT","url":"https://gitlab.com/tprodanov/bam/-/issues/4"}],"affected":[{"package":{"name":"bam","ecosystem":"crates.io","purl":"pkg:cargo/bam"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.1.3"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":["bam::bgzip::Block::load"],"arch":[],"os":[]}},"database_specific":{"categories":["memory-corruption"],"informational":null,"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0027.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}