From: Thibaut M. <thi...@gm...> - 2004-12-16 13:26:56
|
Hi Mike, On Thu, 16 Dec 2004 05:54:45 -0700, Mike Melanson <mi...@mu...> wrote: > Michael Roitzsch wrote: > > Hi Mike, > > > > > >> Thankfully, I may have spoken too soon. I did a slightly deeper > >>investigation and my earlier suspicions were unfounded. > >> > >> Quick & dirty security audit methodology: > >> > >>grep "unsigned char" demuxers/*.c | grep "\[" > >>grep "uint8_t" demuxers/*.c | grep "\[" > >> > >>The idea here is to search for byte array declarations. I looked for > >>declarations that had arbitrarily large unnamed constant sizes, like the > >>100-byte array in demux_aiff.c. Then I made sure that sizes were checked > >>before the reads. > > > > > > Nice work. Which demuxers did you check? Just aiff or more? > > I applied this logic to the whole demuxer tree and did not find anymore > similar bugs. Not certifying that there are no more security holes, but > I do not believe there are anymore like the aiff one. We should apply your logic to the input tree too, we have exactly the same kind of problem here. > -- > -Mike Melanson > Thibaut |