Right after releasing cashpack 0.4 I decided to add a new fuzzer to the toolbox, hoping to maybe find something after a while. I found something immediately:
- a heap buffer overflow
- a broken invariant
Both cases were related to missing length checks that were easy to find and add since the code is articulated to ease such checks. Both fixes are one-liners, and the reasons why they flew under the radar until now are detailed in the test suite's README.