Re: [ft-devel] cff_get_name

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft-devel] cff_get_name_index crash

From:	David Turner
Subject:	Re: [ft-devel] cff_get_name_index crash
Date:	Fri, 09 Feb 2007 13:22:15 +0100

> > Really?  Oh well, that sucks.  :)
> 
> If you're interested in this sort of thing, it's probably a good idea to
> read up on the _reason_ why the glibc maintainer won't include them.
> 

I've read it. His argument is the following:

  A - strcpy itself is not buggy or evil, some developers simply don't use
      it safely, for example when they copy strings of unknown lengths into
      fixed-sized buffers.
    
  B - strlcpy is not better because it only prevents buffer overflows, but
      can introduce another bug (silent string truncations, the horror !!)

while A is certainly true, B is completely false for at least two reasons:

 - first of all, strlcpy gets rid of buffer overwrites for good, and these
   are a *very* common bugs that are responsible for a *lot* of security holes
   in all kinds of software; they're the easiest way to trash the stack and
   take hostile control of program execution. 

 - strlcpy and al. are designed to return the size of the original string
   so that you *can* check for string truncation with something like:

      if ( strlcpy( buffer, src, buffer_size ) >= buffer_size )
         // handle truncation

   in some cases, truncation is not even a bug, it's a feature. Meanwhile,
   when silent string truncation is a bug, it is one that is *much* harder
   to exploit, security-wise, especially if you use system-specific buffer
   sizes like those given by PATH_MAX and al.

On a practical point of view, strlcpy is thus a *lot* better than strcpy.
You get rid of buffer overwrites, you can check for truncation, or you
have the choice to ignore it. And if you do, the security consequences are
relatively dim.

Also, Drepper doesn't understand why people are using strcpy in the first
place: it's for damn convenience; and strlcpy is a *lot* more convenient
than his proposed "correct alternative" which amounts to always computing
the size of the input string, and doing the following:

    *((char *) mempcpy(dst, src, n)) = '\0';

Yeah, highly readable and convenient, isn't it ? I didn't write the part
about computing the length of src in 'n', and checking it against the
buffer size (which doesn't appear in the expression), eventually
perform truncation when needed. Don't worry if it's not even part of POSIX
either.


Regards,

- David Turner
- The FreeType Project  (www.freetype.org)

[Prev in Thread]

Current Thread

[Next in Thread]

[ft-devel] cff_get_name_index crash, Tom Parker, 2007/02/06
- Re: [ft-devel] cff_get_name_index crash, Werner LEMBERG, 2007/02/07
- Re: [ft-devel] cff_get_name_index crash, Sean McBride, 2007/02/07
  - Re: [ft-devel] cff_get_name_index crash, Tom Parker, 2007/02/07
    - Re: [ft-devel] cff_get_name_index crash, Sean McBride, 2007/02/07
    - Re: [ft-devel] cff_get_name_index crash, Werner LEMBERG, 2007/02/08
    - Re: [ft-devel] cff_get_name_index crash, Miles Bader, 2007/02/09
    - Re: [ft-devel] cff_get_name_index crash, David Turner <=

Prev by Date: Re: [ft-devel] cff_get_name_index crash
Next by Date: [ft-devel] Some font rendered badly
Previous by thread: Re: [ft-devel] cff_get_name_index crash
Next by thread: [ft-devel] Re: autotools version check in autogen.sh
Index(es):
- Date
- Thread