[Dailydave] [fuzzing] Coverage and a recent paper by L. Suto
Alexander Sotirov
alex at sotirov.net
Thu Oct 25 23:23:27 EDT 2007
On Thu, Oct 25, 2007 at 01:02:12PM +0200, Nicolas RUFF wrote:
> Using the free Fortify SCA 4 software that comes with "static analysis"
> book, a buffer overflow condition is always detected (whatever rnd[] value).
>
> Using Microsoft Visual Studio 2005 (Microsoft provided VHD) with
> "/analyze", no buffer overflow is detected (whatever rnd[] value).
Using the following perl script two buffer overflows are detected:
cat vuln.c | perl -ne '/rnd\[i\]/ and print "Buffer overflow!\n"'
This post does have a point. Discuss among yourselves.
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071025/6504aa0b/attachment.pgp
More information about the Dailydave
mailing list