CVE-2021-45703: 
Rust vulnerability analysis and mitigation

A vulnerability was discovered in the tectonic_xdv crate versions before 0.1.12 for Rust, identified as CVE-2021-45703. The issue involves the XdvParser::process function potentially reading from uninitialized memory locations, which was disclosed on December 26, 2021 (NVD, RustSec).

The vulnerability stems from the crate passing an uninitialized buffer to a user-provided Read implementation. The Read implementations can read from this uninitialized buffer, leading to memory exposure, and may return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. The issue received a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability can lead to memory exposure and undefined behavior in applications using the affected versions of the tectonic_xdv crate. This could potentially expose sensitive information stored in memory and cause application instability or crashes (RustSec).

The vulnerability was fixed in version 0.1.12 of the tectonic_xdv crate. The fix involves zero-initializing the buffer before passing it to a user-provided Read implementation, as implemented in commit cdff034 (RustSec).