Documentation / Security Warning

[szanni]

I strongly believe that there should be a security warning in the README regarding malicious input.
There is currently no code to verify buffers/structures, unless I missed something completely?
I think a small notice like #29 should suffice.

Any program will crash horrendously should it encounter malicious/corrupted input. If anyone is interested, I adjusted the included tests/examples to be used with american fuzzy lop here. You can test with make fuzz-mem and make fuzz-fp.

[fluffysquirrels]

I added a warning as you describe in #29. Thank you for the suggestion.

Thank you for testing the library! Do you have any proposed fixes for the problems you found?

[szanni]

Late reply but here it goes: as already noted in the security warning: bounds checks.
Then there are other things to consider like DOS attacks, how big of a list do you really want to decode? This is not a problem that is easily solvable. There used to be a document with recommendations on the official website but I can't seem to find it right now!!?

As with regards to at least implementing said fixes: I sadly don't have the time to come up with something truly robust and secure.