[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: C file recoginzed as image file

From: Richard Stallman
Subject: Re: C file recoginzed as image file
Date: Mon, 15 Jan 2007 18:27:08 -0500

    The bug in the lib may be triggered by a valid file (typically: valid but
    with some parameters much larger than expected).  There's no evidence that
    our validation code wouldn't be itself vulnerable to various attacks

If the checking code is thorough, checking every datum for validity
before using its value, then it will not be vulnerable.  The reason
the libraries have vulnerabilities is that their authors are thinking
about displaying a valid image, rather than detecting an invalid one.

The point about failures on valid images is a valid point, but I don't
see what we can do about it at this level.  Perfection is not
attainable.  Anyway, those bugs are likely to be found and fixed
because they would fail on real images.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]