New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FEN input sanitisation #905
Comments
I think in the past maintainers have made it clear that providing correct FENs is the responsibility of the GUI. |
So far I have 67 unique crashes - all of them segfaults. The FEN parser is not performance critical code, and these could all be fixed with the Pareto principle of "reject invalid input" Or do I need to demonstrate an arbitrary code execution exploit? |
@ajithcj already answered you. |
Stockfish may not be an obvious attack vector for bugs, but I decided to let American Fuzzy Lop loose on the FEN parser, and it found issues very quickly, which should be fixed, even if they may never occur.
Non-ASCII characters should be rejected.
The bitboards should be checked for basic consistency (one king per colour)
I'll add more later when it's worked overnight.
The text was updated successfully, but these errors were encountered: