Live2D Is a Security Trainwreck

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
spine openjpeg moc runtimes C

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • D2Evil

    Managed waifu model parsing libs.

    • There's a bit more context to the story. The author and the company had a discussion over a reverse engineering claim as well : https://github.com/UlyssesWu/D2Evil/issues/1

    I have to admit I'm somewhat impressed with the quality of the 2d puppetry I've seen in gaming recently (e.g. Marvel Snap, andy of the Gachas). It's a simpler technical skill than full 3d rigging that 2d illustrators seem to be able to be able to pick up fairly quickly.

    The field this tool grew out of (mobile gaming) is such a grey ethical area, and these puppet animations are a fascinating form of pulp media.

  • spine-runtimes

    2D skeletal animation runtimes for Spine.

    • From the first glance it seems like Spine provides their libraries in source format (under non open source license) with pure C++, C# and TS implementations that don't depend on binary blobs (at least it seemed like it). You can find it here https://github.com/esotericsoftware/spine-runtimes . Even if C++ version is not safe, C# and TS versions are probably fine and, and the license mentions creating derivative works (assuming you follow the Editor license terms and some of invovled parties have an editor license) so you are probably allowed to create modified library which processes the files safely.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • openjpeg

    Official repository of the OpenJPEG project

    • > The whole file is effectively a write-what-where primitive2. In addition to that, the Count Info Table is not bounds checked either...

    File formats like that, with many offsets in the file, are troublesome. There used to be more formats like that. Microsoft Word .doc is the classic example.

    OpenJPEG 2000 has a similar problem. I just hit that yesterday.[1] Valgrind is finding references to un-initialized data which affect control flow, and running the JPEG decoder on valid but truncated files (which is allowed) is causing bad memory reference crashes and errors.

    New formats like this are rare. People have learned. A modern exception is Unreal Engine 5's Nanite has much offset data, and there may be an attack surface there for hostile game content. Nanite is a way to store a graphics mesh with both multiple levels of detail and common submeshes. It's a hierarchy of directed acyclic graphs, flattened into a linear file with offsets. And, sure enough, there are many crash reports. At least Unreal provides a validator for the format.

    (If only C/C++ had slices in the language. Most of the things for which pointer arithmetic is used can be done with slices. Slices really are pointer arithmetic, with sanity.)

    [1] https://github.com/uclouvain/openjpeg/issues/1459

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts