Closed bdrangel closed 4 years ago
Hi. Yes, we used low-level C techniques because lacking of other options to do the same thing and/or because of performance optimizations.
I reviewed the code and couldn't find potential problems with the code. If you can find potential security issue with the code, please share your arguments why it's insecure and how to fix it.
These pieces of code are battle tested through years and I can't remember any problems with it.
Meanwhile, about "using malloc = security bugs" and other generalities: https://stackoverflow.com/questions/2840940/is-it-secure-to-use-malloc
Closing the issue. Let's reopen once real security issue found in the code.
Thanks for raising your concerns @bdrangel, and thanks as always @alexgarbarev for addressing them.
Currently, we are using Typhon as DI in our app. After a statical code analysis of our app, the use of malloc and memcpy were reported as security bugs. Has anybody else reported this before? We want to know if you already have an explanation for this usage or if there is a plan of changing the method in a future version.
The problem was detected in following classes:
malloc Source/Factory/Internal/NSInvocation+TCFWrapValues.m Source/Factory/Internal/NSInvocation+TCFInstanceBuilder.m
memcpy Source/Utils/TyphoonIntrospectionUtils.m