Reported

April 24, 2025

Issued

May 6, 2025

Package

tanton_engine (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Patched

no patched versions

Affected Functions

Version

tanton_engine::RootMoveList::insert_score

• ^1.0.0

tanton_engine::RootMoveList::insert_score_depth

• ^1.0.0

tanton_engine::Stack::offset

• ^1.0.0

tanton_engine::ThreadStack::get

• ^1.0.0

Description

The following functions in the tanton_engine crate are unsound due to lack of sufficient boundary checks in public API:

• Stack::offset()
• ThreadStack::get()
• RootMoveList::insert_score_depth()
• RootMoveList::insert_score()

The tanton_engine crate is no longer maintained, so there are no plans to fix this issue.

Advisory available under CC0-1.0 license.