Submit #846665: grass 0.13.4 Denial of Serviceinfo

Titelgrass 0.13.4 Denial of Service
Beschreibunggrass is a pure-Rust Sass-to-CSS compiler. When the parser encounters a syntax error, it constructs a diagnostic via `grass_compiler::raw_to_parse_error`, which hands the byte-offset error span to the `codemap` crate for line/column resolution. If the error span boundary falls inside a multi-byte UTF-8 character, `codemap::File::find_line_col` attempts `&source[start..end]` on a non-char-boundary index and Rust panics with `"byte index N is not a char boundary; it is inside ..."`. The panic propagates up through the public `grass::from_string` API and aborts the process. This violates the documented contract that `grass::from_string` returns `Result<String, Box<grass::Error>>` for all inputs, but a malformed SCSS source should yield `Err`, not crash the process.
Quelle⚠️ https://github.com/connorskees/grass/issues/116
Benutzer
 Zyz3366 (UID 97230)
Einreichung03.06.2026 04:40 (vor 1 Monat)
Moderieren03.07.2026 20:40 (1 month later)
StatusAkzeptiert
VulDB Eintrag376163 [connorskees grass bis 0.13.4 UTF-8 Character raw_to_parse_error Denial of Service]
Punkte20

Interested in the pricing of exploits?

See the underground prices here!