Re: NSTableView - populating from C procedure
Re: NSTableView - populating from C procedure
- Subject: Re: NSTableView - populating from C procedure
- From: Marco S Hyman <email@hidden>
- Date: Wed, 22 Jul 2009 23:55:38 -0700
On Jul 22, 2009, at 11:38 PM, Graham Cox wrote:
My warning was of a very general nature, and may not apply to your
app. But every time you declare buffer space as a stack array, you
should mentally consider whether a buffer exploit might be possible
there.
It was a good warning.
Since the author can rarely guarantee that some data field will
not be filled from an untrusted source *forever* it is always
best to check for and not allow overflow. The function
"getString" in the sample code might be safe today, but will
it be safe after the nth code change in the future? Does it
get or generate its code as a result of user action? Will it
always be that way?
Easier to ensure that an overflow can't cause harm today
then to worry about all future failures. Remember, most
security problems stem from abuse of simple bugs.
/\/\arc
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden