TypeInfo madness
Yuxuan Shui via Digitalmars-d
digitalmars-d at puremagic.com
Sun Mar 6 15:13:28 PST 2016
In D (tested with D 2.070), one is allowed to modify TypeInfo
returned by typeid().
Here is an example how this "feature" can be used maliciously.
class A{
}
class C : A{
int a = 1234;
}
class B : A{
float b;
}
@safe void main() {
import std.stdio;
C c = new C;
A a = cast(A)c;
auto y = typeid(c);
B b = new B;
y.base = typeid(b);
b = cast(B)a;
assert(b !is null);
writeln(b.b);
}
With a successful dynamic cast, it should be safe to assume the
data in the result object is well formed (enforced, for example,
by invariants). However, the ability to modify a TypeInfo object
will give the attacker a chance to pass crafted data to a
function.
More information about the Digitalmars-d
mailing list