id-map: free uninitialized memory on drop

GeorgeAndrou · web-flow · commit 13bf15a14360 · 2025-08-15T19:52:18.000+02:00
diff --git a/crates/id-map/RUSTSEC-0000-0000.md b/crates/id-map/RUSTSEC-0000-0000.md
@@ -0,0 +1,29 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "id-map"
+date = "2025-08-14"
+
+url = "https://github.com/andrewhickman/id-map/issues/4"
+categories = ["memory-corruption"]
+keywords = ["memory-safety", "uninitialized-memory"]
+
+[affected.functions]
+"id_map::IdMap::from_iter" = [">= 0.1.6, <= 0.2.1"]
+
+[versions]
+patched = [">= 0.2.2"]
+unaffected = ["< 0.1.6"]
+```
+
+# IdMap::from_iter may lead to uninitialized memory being freed on drop
+
+Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of `IdMap`. Specifically, the field `ids` is initialized based on the capacity of the vector `values`, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.
+
+In such cases, when the resulting `IdMap` is dropped, its destructor incorrectly assumes that `values` contains `ids.len() == values.capacity()` initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.
+
+The bug was fixed in commit `fab6922`, and all unsafe code was removed from the crate.
+
+Note that the maintainer recommends using the following alternatives:
+- [slab](https://crates.io/crates/slab)
+- [slotmap](https://crates.io/crates/slotmap)
