| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Jan 2007 20:42:35 +0000
From: Marcin Owsiany <marcin@...iany.pl>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Major gcc 4.1.1 and up security issue
On Mon, Jan 22, 2007 at 02:50:21PM -0500, Valdis.Kletnieks@...edu wrote:
> It's generally considered performance-crippling
> to add inline code that does a "test condition/branch" pair after *every single*
> opcode that might cause an overflow - so the C paradigm is to leave them out
> and have the programmer code tests when actually needed.
Right, seems that I had too much Java for too long recently - I tend to
think of terms of exceptions being thrown in such cases, not
assembly-level flag checking...
> You think it's bad *now*, where you have to force-feed a 2-billion-something
> value in to cause an integer overflow, you obviously aren't old enough to have
> programmed on 16-bit machines, where numbers around 32,000 were sufficient,
Actually, I'm old enough to have programmed on 8-bit machines, but we're
getting off-topic here :-)
Marcin
--
Marcin Owsiany <marcin@...iany.pl> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
"Every program in development at MIT expands until it can read mail."
-- Unknown
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists