Conversation

This Tweet was deleted by the Tweet author. Learn more
Sharing image editing documents / word processing documents, etc. is irresponsible? What about media files? It's certainly a design objective of SQLite to handle untrusted files properly and they put far more effort into that than most alternative file format implementations.
2
1
They are also far more successful at avoiding vulnerabilities in practice. Still, there are occasional memory corruption bugs. It doesn't make sense to blame on them rather than the tooling. I would certainly rather open an untrusted SQLite database than an MP4 file with FFmpeg.
1
1
There's a huge trusted computing base for that. It's far easier and more realistic to write a safe PNG -> pixels parser than it is to make safe sandbox for arbitrary native code execution by an attacker. The easiest boundary to defend is preventing initial arbitrary code exec.
1
And these things are not exclusive from each other. Using a sandbox does not mean you can't also use a safer PNG implementation. I asked which library you would pick which is still entirely relevant with a sandbox and determines how tightly implemented the sandbox can be too.
1
1
So how exactly is the caller going to get the pixels out of the process? Shared memory? And which PNG library is going to work in this kind of environment, since the whole point was which PNG library you would use. It's not a super complex file format like many others.
1
Show replies