D array expansion and non-deterministic re-allocation
Walter Bright
newshound1 at digitalmars.com
Mon Nov 16 14:16:02 PST 2009
Nick Sabalausky wrote:
> Even if it is technically determinate if you run it on the same machine with
> the same inputs, that still does nothing to address Bartosz's claim that
> it's a potential security hole - Apps don't always get run on the same
> machine with the same inputs.
It's not a security hole in any more serious manner than any other
routine programming bug would be. Very few ordinary programming bugs are
exploitable.
A buffer overflow, however, is much more of a security hole because they
are nearly always exploitable, because it allows arbitrary user data to
be executed. This is not the case with the array resizing issue.
That's why I drew a distinction between undefined-behavior and
implementation-defined behavior. The former is a couple more orders of
magnitude more serious.
More information about the Digitalmars-d
mailing list