Home > mailing lists

Re: Fixes for compiler warnings - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: Fixes for compiler warnings
Date	January 18, 2009 14:01:08
Msg-id	49734428.7090308@enterprisedb.com Whole thread Raw
In response to	Re: Fixes for compiler warnings (Grzegorz Jaskiewicz <gj@pointblue.com.pl>)
List	pgsql-hackers

Tree view

Grzegorz Jaskiewicz wrote:
> On 2009-01-18, at 09:56, Peter Eisentraut wrote:
>> -Wformat-security warns about
>>
>>    printf(var);
>>
>> but not about
>>
>>    printf(var, a);
>>
>> I don't understand that; the crash or exploit potential is pretty much 
>> the
>> same in both cases.
> not at all. First case allows you to pass in var from outside, with 
> your, well crafted format strings. Please read more about subject, 
> before you say something that silly.

The point is that if "var" comes from an untrusted source, both forms 
are just as dangerous.

I guess that in practice, the first form is more likely to be an oversight.

--   Heikki Linnakangas  EnterpriseDB   http://www.enterprisedb.com

pgsql-hackers by date:

From: Andrew Chernow
Date: 18 January 2009, 13:18:33
Subject: Re: VARSIZE - why omit VARLEN?

From: Tom Lane
Date: 18 January 2009, 17:18:07
Subject: Re: Fixes for compiler warnings

Re: Fixes for compiler warnings - Mailing list pgsql-hackers

Previous

Next