Re: ActiveX Buffer Overruns and BSTR's

[aviram () JENIK COM (Aviram Jenik)]

----- Original Message -----
From: "Scott, Richard" <Richard.Scott () BESTBUY COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, October 06, 1999 5:10 PM
Subject: Re: ActiveX Buffer Overruns and BSTR's

> As my understanding goes, a BSTR is simply a 32bit pointer to a
> character array?
>
> ...
>
> It's just that COM wraps all the pointer stuff and just lets us get
> on with the more interesting stuff,
> I am sure that a buffer overflow could occur, whether it could be
> used for a breech of security is something that may need further research
in
> to.

Yes, but that would be an implementation flaw in COM. What we were
discussing here is whether or not it's possible to overflow buffers under
*normal* circumstances.
Although COM uses pointers in the underlying implementation, you only have
access to it before and after the wrapping is done. This means that if COM
wrapped the BSTR correctly (which is what we're assuming right now) the
overflow can only occur when you extract the BSTR into a smaller buffer. I
believe you have to be pretty stupid to do that (BSTR includes its own size,
for gods sake).

-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

- Real programmers think structured programming is a communist
  plot.