mmm, in looking it seems we check length versus data in all the  
places a cursory scan show, but.

What if I pass -1 as width to
primitiveWrite24BmpLine

or
perhaps pass something odd to
primAECoerceDesc: typeCode to: result.



On 31-Jul-06, at 10:49 PM, Andreas Raab wrote:

> John M McIntosh wrote:
>> Ah, I'll note that the squeak VM really hasn't been hardened  
>> against attack, it's much less paranoid than the VW VM.
>> In many places we might pass a ByteArray and a length, where the  
>> length is calculated from the ByteArray in Smalltalk however
>> nothing prevents someone from making that VM call with a bogus  
>> ByteArray and length and see if something interesting will happen.
>
> Which places are that?
>
> Cheers,
>   - Andreas
>

--
======================================================================== 
===
John M. McIntosh <johnmci at smalltalkconsulting.com>
Corporate Smalltalk Consulting Ltd.  http://www.smalltalkconsulting.com
======================================================================== 
===