Bugtraq mailing list archives
Re: ActiveX Buffer Overruns and BSTR's
From: aviram () JENIK COM (Aviram Jenik)
Date: Wed, 6 Oct 1999 21:38:08 +0200
----- Original Message ----- From: "Scott, Richard" <Richard.Scott () BESTBUY COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, October 06, 1999 5:10 PM Subject: Re: ActiveX Buffer Overruns and BSTR's
As my understanding goes, a BSTR is simply a 32bit pointer to a character array? ... It's just that COM wraps all the pointer stuff and just lets us get on with the more interesting stuff, I am sure that a buffer overflow could occur, whether it could be used for a breech of security is something that may need further research
in
to.
Yes, but that would be an implementation flaw in COM. What we were discussing here is whether or not it's possible to overflow buffers under *normal* circumstances. Although COM uses pointers in the underlying implementation, you only have access to it before and after the wrapping is done. This means that if COM wrapped the BSTR correctly (which is what we're assuming right now) the overflow can only occur when you extract the BSTR into a smaller buffer. I believe you have to be pretty stupid to do that (BSTR includes its own size, for gods sake). ------------------------- Aviram Jenik "Addicted to Chaos" ------------------------- Today's quote: - Real programmers think structured programming is a communist plot.
Current thread:
- Re: ActiveX Buffer Overruns and BSTR's Scott, Richard (Oct 06)
- Re: ActiveX Buffer Overruns and BSTR's Aviram Jenik (Oct 06)