A step in the wrong direction, in an ocean of steps in the right direction (try 3)

[Ben Klein]

It's all been said, by myself and others. I just want something clarified.

2009/1/25 Guillaume SH <gsh.debianlists at gmail.com>:
> Regarding the part of your mail where you wrote : "that's actually
> good that applications crash when
> they pass invalid data", I must admit I don't understand your point at
> all. It seems to me a dogma, not the result of some thought or stand
> back.

If an application ends up with invalid data (possibly due to a bug in
the app, possibly due to corrupt data files, possibly due to user
input without proper checking in the app), a call to the function in
question (or any other function, for that matter) could easily end up
with invalid data.

In the case of invalid data crashing the application, the application
stops functioning, and no (further) damage can be caused.

In the case where Wine does something that win32/Windows doesn't,
which is to allow the program to continue with its invalid data, there
is potential for your system to become compromised by the application
continuing. What you describe as a potential exploit by crashing an
app with invalid data in this case could easily be used as an exploit
the other way, and something that specifically targets Wine, since the
behaviour is different in Windows, where the app crashes on invalid
data.

It's possible. It's potential. It's theoretical. It's something that
could be implemented as a proof-of-concept. It should be fixed, and
doing what the other guy does, when there are only two in the field,
makes sense when you're already trying to do what the other guy does
(which is run Windows applications). It doesn't even need to be
exactly the same code, as long as it has the same effect. There's
already been a suggestion for an alternative way to do the same thing.