github-actions[bot] opened a new issue, #2624: URL: https://github.com/apache/iceberg-rust/issues/2624
> Out-of-bounds read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators | Details | | | ------------------- | ---------------------------------------------- | | Package | `pyo3` | | Version | `0.28.3` | | URL | [https://github.com/PyO3/pyo3/pull/6086](https://github.com/PyO3/pyo3/pull/6086) | | Date | 2026-06-11 | | Patched versions | `>=0.29.0` | | Unaffected versions | `<0.24.0` | PyO3 0.24.0 added optimized implementations of `Iterator::nth` and `DoubleEndedIterator::nth_back` for the `BoundListIterator` and `BoundTupleIterator` types. These implementations computed the target index using unchecked `usize` addition (`index + n`) before bounds-checking against the sequence length, then read the element via `get_item_unchecked`. In `nth` methods, a sufficiently large `n` (combined with a non-zero internal index) could cause the addition to overflow and wrap around, producing a small "target index" that passed the bounds check and enabling reads at the front of the `list` or `tuple` of elements previously yielded by the iterator. In `nth_back` methods, a sufficiently large `n` could cause underflow in a similar fashion, however would instead allow reads of arbitrary memory past the end of the `list` or `tuple` storage. PyO3 0.29.0 has corrected these methods to use checked arithmetic at the positions which could be at risk of overflow. See [advisory page](https://rustsec.org/advisories/RUSTSEC-2026-0176.html) for additional details. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
