pure D JPEG decoder, with progressive JPEG support, public domain
Observer via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Sat Jun 18 12:52:20 PDT 2016
On Friday, 17 June 2016 at 14:20:14 UTC, ketmar wrote:
> ah, i also put `.ptr` to array access to skip bounds checking
> -- i love to build my code with bounds checking on, and i don't
> feel that i need it in this decoder -- it should be fairly
> well-tested.
This statement stands out as a problem. There are lots of
security
notices out there that refer to media-decoding problems.
Remember,
in the context of image decoding, you're often handling untrusted
data from external sources. The security notices often talk about
"carefully crafted" files; here's just one simple example:
http://www.videolan.org/security/sa0702.html
Here are a couple more, regarding the infamous Adobe Flashplayer:
https://hackerone.com/reports/30567
https://hackerone.com/reports/36279
Not convinced? Let's not stop there; let's look specifically at
what has happened with JPEG in the past, such as:
http://download.oracle.com/sunalerts/1000310.1.html
http://www.theregister.co.uk/2004/09/24/jpeg_exploit_toolkit/
You need to think not just about your own code, but also about the
overall environment in which it will operate.
More information about the Digitalmars-d-announce
mailing list