yyredo and yy_use_redo_text
Matthias Andree
matthias.andree at gmx.de
Mon May 12 16:03:30 CEST 2003
Timo Sirainen <tss at iki.fi> writes:
> And looking more at qp_decode(), it can write a few bytes more than it
> was supposed to, but it's still safe because flex always allocates two
> more bytes for \0\0, and you'll be overwriting those with \0 as well.
>
> So, no real problems after all.
Maybe not this time, but I wouldn't sleep well if I knew that a
function's security was based on proper use through other functions. In
other words, if I feed total junk to qp_decode(), it must still be
secure.
Relying on flex semantics is dangerous, a new or older flex version may
not support this 'add some NUL bytes' behaviour; and qp_decode isn't
limited to work on flex data after all -- we don't guarantee the
additional NUL bytes, and we don't even document such
requirements. Thus, your decision to report this bug and the analysis
have been correct, good job!
After all, we don't need to write another security announcement this
time, so the further analysis has saved us some work and bad news.
--
Matthias Andree
More information about the bogofilter-dev
mailing list