Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: ben () ALGROUP CO UK (Ben Laurie)
Date: Sat, 11 Jul 1998 20:33:28 +0100
David Schwartz wrote:
Why is C++ bashing so popular? Why can't people get it right? According to Stroustrup, The C++ Programming Language, 3rd ed., section 9.4.1 Initialization of Nonlocal Variables, p.218 (in the 3rd printing): "Note that variables initialized by constant expressions cannot depend on the value of objects from other translation units and do not[1] require run-time initialization. Such variables are therefore safe to use in all cases." [1] The word "not" was missing until the 6th printing (see the errata).I believe this is a false statement and that the code I posted to bugtraq before constitutes a counter-example. Consider the following variable initialized by a constant expression: MyString Foo("test"); 'Foo' is a variable. '"test"' is a constant expression.
I think this is where you part from Stroustrup (and where I may have misunderstood you). '"test"' is indeed a constant expression, but 'Foo' is not initialized from it: the constructor is called with it, so, the above statement does not apply to Foo. However, it does apply to MyString::StringCount.
Now, Stroustrup claims that this "cannot depend on the value of objects from other translation units." Consider the following object from another translation unit: int MyString::StringCount=0; And consider the following constructor: MyString(const char *) { StringCount++; .... }; Now, here you see that a variable initialized by a constant expression CAN depend on the value of objects from other translation units. So either we are both misunderstanding Stroustrup or he is incorrect.
OK, you've misunderstood Stroustrup (IMO), and I've misunderstood you. I agree that you can't know the value of StringCount when Foo is initialised (because you don't know how many other MyStrings may have been initialised), but you can know that StringCount will have been zeroed before any MyStrings were initialised. So now I'm left wondering what point you are actually trying to make (other than that we don't know what order global contructors are initialised in)? Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben () algroup co uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Current thread:
- Netware 4.x Attack Tool Announcement, (continued)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Casper Dik (Jul 09)
- Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Matt Evans (Jul 09)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
- Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 12)