CVE-2021-28307

Name of the Vulnerable Software and Affected Versions: fltk crate versions prior to 0.15.3

Description: The issue is related to multiple memory safety problems. There is a NULL pointer dereference when attempting to use a non-raster image for a window icon. Additionally, setting a multi-label type with a nonexistent image leads to a NULL pointer dereference. The pixmap constructor does not validate its input, which can result in out-of-bounds reads.

Recommendations: For versions prior to 0.15.3, update to version 0.15.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of non-raster images for window icons and ensuring that images exist before setting them as multi-label types. Restrict the use of the pixmap constructor until the issue is resolved.