Thank you Thomas. This is clear now.
On Monday, July 10, 2017 at 2:38:48 PM UTC, Thomas Van Lenten wrote: > > If you look at the calling code, they can't ever overflow; most of the > concern with these type of functions if when taking input from a third > party, and these are used between the generator code and runtime, so both > are known sources. The page you linked to also talks about Microsoft only > replacements, so I'm not sure how much I'd take the advice of that pages as > the replacements don't exist on all platforms. > > TVL > > > On Friday, July 7, 2017 at 1:57:28 PM UTC-4, Michael Muriuki wrote: >> >> Hi, >> >> Am new to the ProtoBuf library and only use it as part of the Google's >> libraries. Recently our security team indicated that the library in iOS >> uses some of the banned >> <https://msdn.microsoft.com/en-us/library/bb288454.aspx> API functions >> listed h <https://msdn.microsoft.com/en-us/library/bb288454.aspx>ere. >> Does anyone know why these have not been replaced with the safer >> alternatives >> and what measures are in place to ensure that the code is not susceptible >> to buffer overflow injection? >> >> The functions *strlen, memcpy* and *memmove* are used in the following >> Protobuf code. >> >> GPBCodedOutputStream.h >> GPBCodedOutputStream.h >> GPBDescriptor.h >> GPBDescriptor.m >> GPBMessage.h >> GPBMessage.m >> GPBRootObject.h >> GPBRootObject.h >> > -- *Cellulant Group email disclaimer and confidentiality note* Please go here <http://www.cellulant.com/index.php?option=com_content&view=article&id=81&Itemid=511> to read our email disclaimer and confidentiality note. -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/protobuf. For more options, visit https://groups.google.com/d/optout.
