> He asks how it's possible, but avoids the obvious?
He’s not asking “how does this cause corruption”, he’s asking “how is it possible that a bug like this can occur in a code base like this, and not be caught earlier”.
He then enumerates all the myriad “correct” things that Mozilla do (did?), including code reviews, fuzzing, static analysis, bug bounties, etc and yet something as trivially trivial as copying an arbitrarily large amount of data into a buffer without verifying it fit went unnoticed.
Personally I think it’s a good example of how over valued static analysis is when something this trivial is not reported (I suspect the issue is SA tools have to avoid too many false positives and reporting every memcpy that only checks one size could be too “noisy”)
He’s not asking “how does this cause corruption”, he’s asking “how is it possible that a bug like this can occur in a code base like this, and not be caught earlier”.
He then enumerates all the myriad “correct” things that Mozilla do (did?), including code reviews, fuzzing, static analysis, bug bounties, etc and yet something as trivially trivial as copying an arbitrarily large amount of data into a buffer without verifying it fit went unnoticed.
Personally I think it’s a good example of how over valued static analysis is when something this trivial is not reported (I suspect the issue is SA tools have to avoid too many false positives and reporting every memcpy that only checks one size could be too “noisy”)