Also, what is EnvironmentSize and in what units is it specified?
It's the ZIP that makes it trivial and negates the size checks. Ever heard of rarjpegs? That works for zip files too. You can place any kind of garbage in the beginning of the file and it will still be a valid zipfile. If your malicious payload is 1Mb size, you get the rest of the gigabyte for you to fill with hash-colliding garbage. That's 99% of the file. A hash collision attack is trivial in such conditions.
Originally Posted by curaga
Sorry, messed up the numbers. You have 99,9% of the file to yourself to fill with hash-colliding garbage.
Excellent point, hadn't thought of that. While both gzip and bzip2 permit such data, they make it detectable; xz doesn't permit it, zip not only permits it but says nothing. So this is a valid hole for zips.
a) it is just under livid development.
Originally Posted by Shnatsel
b) if you checked it out - how much time did you spent on playing it?
c) timedemo is just a mission to script :P
but hey, a bunc h of 'benchmarks' all running basically the same eninge (*quake) are really saying sooo much.
Besides, why is ut2004 never included? Yes, it is old. But it doesn't look half as bad as most of the *quake descendants used. And it would give a much more rounded picture.
What about the Unigine benchmarks. Why aren't they run?
Unigine benches are not GL compliant and do not run on Mesa. But I bet you knew that.
inb4 someone complains you can set overrides. Pampering over non-compliant software is just wrong.