Programming language comparison?

[petesh at indigo.ie (Pete Shanahan)]

ljknews wrote:
> At 4:44 PM -0500 2/5/08, Steven M. Christey wrote:
> > On Mon, 4 Feb 2008, ljknews wrote:
> >
> > > > ("%99999999s" to fill up disk or memory, anybody?), so it's marked with
> > > > "All" and it's not in the C-specific view, even though there's a heavy
> > > > concentration of format strings in C/C++.
> > > It is marked as "All" ?
> > >
> > > What is the construct in Ada that has such a risk ?
> > Hmmmm, I don't see any, but then again I don't know Ada.  Is there no
> > equivalent to format strings in Ada?  No library support for it?
>
> Not that I know of, but if you can specify a Pascal equivalent
> I might be able to see what you are aiming at.  Have you evaluated
> Pascal for this defect that is present in "All" languages ?

Pascal per-se does not have a format string vulnerability - you don't have
any functions like that in the base language.

Delphi (Borland's oo-pascal) however has a whole truckload of Format*
commands which take a format string as the first parameter and thus
would potentially be vulnerable to the DOS attack.
<rant>
Delphi has the capability of run-time bounds checking, which would catch
a lot of 'variables not on the stack' errors, however this can be turned
off for performance reasons. I don't have a ratio of on/off people. When
I originally wrote Delphi code in '96 I switched off bounds checking as
the systems I was running on could not take the hit. Now, it is left on
continuously as the cost of cycles is not worth it to have better software
</rant>