[vlc] Can we trust local fake "registry" file?

Rémi Denis-Courmont rdenis at simphalempin.com
Mon Sep 8 08:13:28 CEST 2008


On Mon, 8 Sep 2008 13:12:53 +0800, "tielei.wang" <tielei.wang at gmail.com>
wrote:
> reg_size is read from a file. If reg_size is huge enough,
> reg_size*sizeof(struct reg_value) will overflow.

True, this is a bug. However, if you use the loader, you have to trust the
stuff it loads in any case, since the whole point is to load a DLL and run
code from it. In other words, you just cannot use the loader against
untrusted files. So I would not see this specific overflow as a security
problem.

-- 
Rémi Denis-Courmont




More information about the vlc mailing list