CVE-2020-35916

Name of the Vulnerable Software and Affected Versions image crate versions prior to 0.23.12

Description The issue arises from constructing a mutable reference to a struct by dereferencing a pointer obtained from slice::as ptr, which performs an implicit reborrow as an immutable shared reference and does not allow writing through the derived pointer. Instead, slice::as mut ptr should have been called on the mutable slice argument. There is no evidence of miscompilation caused by this bug, and further investigation suggests that the unoptimized generated LLVM IR does not contain any undefined behavior itself, effectively mitigating further effects.

Recommendations For image crate versions prior to 0.23.12, update to version 0.23.12 or later to resolve the issue. As a temporary workaround, consider using slice::as mut ptr instead of slice::as ptr when constructing a mutable reference to a struct from a mutable slice argument.