curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regarding CVE-2016-9594 (uninitialized random)

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Sat, 18 Feb 2017 08:30:47 +0100

On Friday, February 17, 2017 23:53:48 Daniel Stenberg wrote:
> Just blindly sprinkling unions is however not automatically better (==
> easily understood and debugged) or more foolproof code. Avoiding typecasts
> can at times be worse than the typecasts themselves. It needs to be done
> properly.

Exactly. And the same holds for fixing defects reported by static analyzers,
dynamic analyzers, fuzzers, etc. Such code improvements need to be done by
programmers who really understand the code. Otherwise the probability of
introducing new issues is higher than probability of fixing the existing ones.

Kamil
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-18