Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [fuzzing] Coverage and a recent paper by L. Suto

From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 25 Oct 2007 20:23:27 -0700
On Thu, Oct 25, 2007 at 01:02:12PM +0200, Nicolas RUFF wrote:

Using the free Fortify SCA 4 software that comes with "static analysis"
book, a buffer overflow condition is always detected (whatever rnd[] value).

Using Microsoft Visual Studio 2005 (Microsoft provided VHD) with
"/analyze", no buffer overflow is detected (whatever rnd[] value).


Using the following perl script two buffer overflows are detected:
cat vuln.c | perl -ne '/rnd\[i\]/ and print "Buffer overflow!\n"'

This post does have a point. Discuss among yourselves.

Alex

Attachment: _bin
Description: 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: