Thank you Thomas. This is clear now.
On Monday, July 10, 2017 at 2:38:48 PM UTC, Thomas Van Lenten wrote: > > If you look at the calling code, they can't ever overflow; most of the > concern with these type of functions if when taking input from a third > party, and these are used between the generator code and runtime, so both > are known sources. The page you linked to also talks about Microsoft only > replacements, so I'm not sure how much I'd take the advice of that pages as > the replacements don't exist on all platforms. > > TVL > > > On Friday, July 7, 2017 at 1:57:28 PM UTC-4, Michael Muriuki wrote: >> >> Hi, >> >> Am new to the ProtoBuf library and only use it as part of the Google's >> libraries. Recently our security team indicated that the library in iOS >> uses some of the banned >> <https://msdn.microsoft.com/en-us/library/bb288454.aspx> API functions >> listed h <https://msdn.microsoft.com/en-us/library/bb288454.aspx>ere. >> Does anyone know why these have not been replaced with the safer >> alternatives >> and what measures are in place to ensure that the code is not susceptible >> to buffer overflow injection? >> >> The functions *strlen, memcpy* and *memmove* are used in the following >> Protobuf code. >> >> GPBCodedOutputStream.h >> GPBCodedOutputStream.h >> GPBDescriptor.h >> GPBDescriptor.m >> GPBMessage.h >> GPBMessage.m >> GPBRootObject.h >> GPBRootObject.h >> > -- *Cellulant Group email disclaimer and confidentiality note* Please go here <http://www.cellulant.com/index.php?option=com_content&view=article&id=81&Itemid=511> to read our email disclaimer and confidentiality note. -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to protobuf+unsubscr...@googlegroups.com. To post to this group, send email to protobuf@googlegroups.com. Visit this group at https://groups.google.com/group/protobuf. For more options, visit https://groups.google.com/d/optout.
