Hey,
I'm going to chime in here.
If you want to fix this problem: Don't use C! Use C++, C#, Java etc.
> instead!
>
Honestly, this is inane right? ReactOS currently uses C predominantly, but
we can't
use that as an excuse for shitty code which breaks, crashes, or has buffer
overflows.
Security is
Finding bugs is definitely a valid concern. But there is, of course,
a version that addresses both problems:
NT_VERIFY(NT_SUCCESS(RtlStringCbPrintfW(...)));
This will assert in case the buffer is too small, while still never
causing an overflow.
We could provide wrappers to require less typing or
Eric, the thing is, buffer overflows don't just crash the program unless
you have some really nifty guard pages, but overwrite other things in
memory. This means an attacker can, in certain situations, use it to create
something that not just crashes, but with a nifty input create an exploit.
Havin
Hello Hermès,
you can use a maximum timeout value of 31536999 seconds (that's 1 second
shy of 10 years). If the timeout value is larger or equal 1 day (>=86400
seconds), winlogon will use the "%d days" format. It will just show a
maximum of "3649 days". No buffer overflow here! :-)
Regards
Eric
Hello Thomas,
you're right, using the run-time size checks are a good way to keep
application from crashing because of buffer overflows. They'll just keep
on using corrupt data instead! If you want to fix this problem: Don't
use C! Use C++, C#, Java etc. instead!
I prefer to see an application cr
If I remember correctly you can make shutdowns delayed of many days on Windows
(using the InitiateSystemShutdown(Ex) function), in which case the 2-digit hour
won't work at all.
Best,
Hermès
> -Message d'origine-
> De : Ros-dev [mailto:ros-dev-boun...@reactos.org] De la part de Thomas
>
Hey Eric,
On 2018-04-02 12:58, Eric Kohl wrote:
-RtlStringCbPrintfW(strbuf, sizeof(strbuf), L"%d:%d:%d", hours, minutes,
seconds);
+swprintf(szBuffer, L"%02d:%02d:%02d", iHours, iMinutes, iSeconds);
Unfortunately I must disagree with this change.
Buffer overflows are a big enough thr