WhatsApp BO critical security vulnerability
Nick Sabalausky (Abscissa)
SeeWebsiteToContactMe at semitwist.com
Thu May 16 03:58:06 UTC 2019
On 5/15/19 6:42 PM, H. S. Teoh wrote:
>
> Given the frequency and severity of buffer overflow and other
> memory-related bugs, people need a serious wakeup call to migrate away
> from languages that do not enforce bounds checking...
Yea, people definitely do. But they never will unless they're
absolutely, 100% *forced* to. For example...
On 5/15/19 9:19 PM, Exil wrote:
> On Wednesday, 15 May 2019 at 22:45:44 UTC, Adam D. Ruppe wrote:
>>
>> And this is why I *never* use dmd's -release or -boundscheck switches.
>> Just not worth the risk of taking out those checks.
Same here.
> Depends on what you are doing, I always have those switches turned on,
> it's not worth the performance hit.
Premature optimization. Sh****t...we live in a world where even those
people using the el-cheapo completely-free-with-any-data-plan phones are
walking around with a supercomputer in their pocket so absurdly powerful
it can run Quake 2, at a good framerate, probably in software-rendering
mode too, *as JavaScript executed in a bloated web browser*!
If anyone's software needs bounds checks disabled ACROSS THE ENTIRE
CODEBASE (?!?!) to run acceptably, then they're clearly doing something
ELSE, very, very, horribly wrong. And they seriously need to 1. learn
about premature optimization, 2. learn how to freaking profile and
optimize, and 3. learn how to isolate inner-loop hot-spots from the rest
of code and limit the security-disaster-in-waiting compiler flags to
just that code alone...and audit that code to ensure outside input never
reaches it unwashed. (although, anything the langs/compilers could do to
push this and make it all more convenient would certainly help)
Honestly though, granted I like and respect Walter a lot, but I've
always felt...all his [absolutely correct] preaching about memory safety
and profiling is rendered automatically dead-on-arrival by the very fact
that we have a flag conveniently named "-release" which, among other
conveniently dangerous things, kills bounds checking (?!).
Summary: Performance in 2019??? Pftt, please, it's not worth the
*security* hit. What is this, 1977?
More information about the Digitalmars-d
mailing list