I notice that we don't currently use LZMA (de)compression anywhere in
Gecko, AFAICS.
The proposed WOFF 2.0 format[1], under discussion in the W3C webfonts
working group, includes the use of the LZMA entropy coder as a
better-compressing alternative to zlib.
If the proposed spec goes forward and we implement this, it will mean
exposing the LZMA decoder to untrusted data from the Web (i.e. webfont
resources). Do we have any insight into the reliability/security of the
LZMA code[2], or any experience of testing (fuzzing, etc) to determine
whether we can safely use this library in a web-exposed way?
Any insight or advice would be welcome...
JK
[1] http://lists.w3.org/Archives/Public/www-font/2012JanMar/0002.html
[2] http://www.7-zip.org/sdk.html
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
