oss-sec mailing list archives
Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c)
From: Agostino Sarubbo <ago () gentoo org>
Date: Wed, 26 Oct 2016 10:08:56 +0200
On Tuesday 25 October 2016 12:13:44 Tavis Ormandy wrote:
I'm not sure I understand the concern here. Isn't it usually expected that the administrator configures appropriate ulimits, and the code should just handle allocation failure gracefully? If we are considering *not* implementing arbitrary hardcoded limits a security problem, that seems like a significant change in software design philosophy (I've heard it called the zero-one-infinity rule before). Tavis.
Tavis, more or less I agree with you, but since time ago I saw that similar bugs reveiced a CVE, I thought that these type of bugs could interest the community and them I'm sharing them. If I'm not mistaken, CWE-789 covers these type of bugs. -- Agostino
Current thread:
- jasper: memory allocation failure in jas_malloc (jas_malloc.c) Agostino Sarubbo (Oct 18)
- Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) cve-assign (Oct 22)
- Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) Tavis Ormandy (Oct 25)
- Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) Agostino Sarubbo (Oct 26)
- Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) Simon McVittie (Oct 26)
- Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) Tavis Ormandy (Oct 25)
- Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) cve-assign (Oct 22)