[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

To: "Andrew van der Stock" <vanderaj@xxxxxxxxxx>
Subject: Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
From: michaelslists@xxxxxxxxx
Date: Wed, 29 Mar 2006 14:30:43 +1100

No you dont.

Arrays are all bounds checked; ..., that is, the following code will
throw an exception:

================================
class Foo {
  static {
    int[] m = new int[2];
    System.out.println(m[34]);
  }
}
================================

What do you mean by "overflow"? Do you mean this?

================================
class Foo {
  static {
    int m = Integer.MAX_VALUE;
    int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
    System.out.println(m);
    System.out.println(k);
    System.exit(0);
  }
}
================================

if so, I don't see how that is an issue.

-- Michael

On 3/29/06, Andrew van der Stock <vanderaj@xxxxxxxxxx> wrote:
> This is not quite true.
>
> Java does not prevent integer overflows (it will not throw an
> exception). So you still have to be careful about array indexes.
>
> Andrew
>
> On 29/03/2006, at 12:49 PM, michaelslists@xxxxxxxxx wrote:
>
> > no, a browser written in java would not have buffer overflow/stack
> > issues. the jvm is specifically designed to prevent it ...
> >
> > -- Michael
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- [Full-disclosure] Java integer overflows (was: a really long topic)
  - From: Andrew van der Stock

References:
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: Brian Eaton
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: Pavel Kankovsky
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: michaelslists
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
  - From: Andrew van der Stock

Prev by Date: Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
Next by Date: [Full-disclosure] Re: Java integer overflows (was: a really long topic)
Previous by thread: Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
Next by thread: [Full-disclosure] Java integer overflows (was: a really long topic)
Index(es):
- Date
- Thread