| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Grzegorz Jaskiewicz <gj(at)pointblue(dot)com(dot)pl> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 20:16:23 |
| Message-ID: | 200901182216.24364.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sunday 18 January 2009 12:43:46 Grzegorz Jaskiewicz wrote:
> > -Wformat-security warns about
> >
> > printf(var);
> >
> > but not about
> >
> > printf(var, a);
> >
> > I don't understand that; the crash or exploit potential is pretty
> > much the
> > same in both cases.
>
> not at all. First case allows you to pass in var from outside, with
> your, well crafted format strings. Please read more about subject,
> before you say something that silly.
If your premise is that var is passed in from the outside, then the real issue
is the %n placeholder. And then it doesn't matter how many variadic args you
pass.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Chernow | 2009-01-18 20:20:25 | Re: libpq WSACleanup is not needed |
| Previous Message | Peter Eisentraut | 2009-01-18 19:51:24 | Re: Fixes for compiler warnings |