Cryptographically verifiable, distributed dependency reviews
Add the last reviewed version to Cargo.toml / [dependencies]:
rgb = "0.8.20"Please, use mobile in landscape.
Filter reviews clicking on the numbers in the summary.
Full column names in tooltip hints: rating Negative, rating Neutral, rating Positive, rating Strong, thoroughness, understanding, reviews count.
Fixed soundness of ComponentBytes
On first glance you'll find a lot of unsafety but most of it is (now) benign.
The largest parts are casting a transparent, repr-C wrapper struct to native
arrays or slices and forwarding impls of bytemuck::{Pod, Zeroable}
accordingly. There's a derive crate for bytemuck that may be used instead.
There are not a lot of safety comments but not a lot of invariants used
either.
A longstanding soundness issue of interpreting a user input type T as
bytes... This goes back to 0.2 at least where we have the following trait:
pub trait ComponentBytes<T> {
fn as_slice(&self) -> &[T];
fn as_mut_slice(&mut self) -> &mut [T];
// Provides: does this obvious transmutation cast of `as_slice` result.
fn as_bytes(&self) -> &[u8] { ... }
}
This is so unsound, the user can even return an wrong slice of an arbitrary
and just let this trait do the dirty work of inspecting its bytes.
In a more recent version we're allowed to even write into that byte slice!
Let us create null references, invalid enums, whatever your heart desires.
it's mine!
it's mine!
my own
my own
© bestia.dev 2023, MIT License, Version: 2023.608.1636
Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/
Fixed soundness of as_bytes