Secure Coding mailing list archives
Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: michaelslists at gmail.com (michaelslists at gmail.com)
Date: Wed, 29 Mar 2006 14:30:43 +1100
No you dont. Arrays are all bounds checked; ..., that is, the following code will throw an exception: ================================ class Foo { static { int[] m = new int[2]; System.out.println(m[34]); } } ================================ What do you mean by "overflow"? Do you mean this? ================================ class Foo { static { int m = Integer.MAX_VALUE; int k = Integer.MAX_VALUE + Integer.MAX_VALUE; System.out.println(m); System.out.println(k); System.exit(0); } } ================================ if so, I don't see how that is an issue. -- Michael On 3/29/06, Andrew van der Stock <vanderaj at greebo.net> wrote:
This is not quite true. Java does not prevent integer overflows (it will not throw an exception). So you still have to be careful about array indexes. Andrew On 29/03/2006, at 12:49 PM, michaelslists at gmail.com wrote:no, a browser written in java would not have buffer overflow/stack issues. the jvm is specifically designed to prevent it ... -- Michael
Current thread:
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pilon Mntry (Mar 26)
- <Possible follow-ups>
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists at gmail.com (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists at gmail.com (Mar 28)
- Java integer overflows (was: a really long topic) Andrew van der Stock (Mar 28)
- Re: Java integer overflows (was: a really long topic) michaelslists at gmail.com (Mar 28)
- Message not available
- Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) michaelslists at gmail.com (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)