CVE-2019-16138

Name of the Vulnerable Software and Affected Versions image crate versions prior to 0.21.3 image crate versions prior to 0.22

Description An issue was discovered in the HDR image format decoder, where Vec::set len is called on an uninitialized vector. This leads to a use-after-free and allows for arbitrary code execution. The affected versions would call Vec::set len on an uninitialized vector with a user-provided type parameter, and then call other code that could panic before initializing all instances, running Drop implementations on uninitialized types.

Recommendations For versions prior to 0.21.3, ensure proper initialization before calling Vec::set len to avoid the use-after-free issue. For versions prior to 0.22, consider updating to version 0.22 or later, where a breaking change to the interface requires callers to pre-allocate the output buffer and pass a mutable slice instead, avoiding all unsafe code. As a temporary workaround, consider restricting the use of the HDR image format decoder until a patch is available.