If you look at the calling code, they can't ever overflow; most of the concern with these type of functions if when taking input from a third party, and these are used between the generator code and runtime, so both are known sources. The page you linked to also talks about Microsoft only replacements, so I'm not sure how much I'd take the advice of that pages as the replacements don't exist on all platforms.
TVL On Friday, July 7, 2017 at 1:57:28 PM UTC-4, Michael Muriuki wrote: > > Hi, > > Am new to the ProtoBuf library and only use it as part of the Google's > libraries. Recently our security team indicated that the library in iOS > uses some of the banned > <https://msdn.microsoft.com/en-us/library/bb288454.aspx> API functions > listed h <https://msdn.microsoft.com/en-us/library/bb288454.aspx>ere. > Does anyone know why these have not been replaced with the safer > alternatives > and what measures are in place to ensure that the code is not susceptible > to buffer overflow injection? > > The functions *strlen, memcpy* and *memmove* are used in the following > Protobuf code. > > GPBCodedOutputStream.h > GPBCodedOutputStream.h > GPBDescriptor.h > GPBDescriptor.m > GPBMessage.h > GPBMessage.m > GPBRootObject.h > GPBRootObject.h > -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/protobuf. For more options, visit https://groups.google.com/d/optout.
