From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HEADER_SPAM autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fc772,b30bd69fa8f63cb2,start X-Google-Attributes: gidfc772,public X-Google-Thread: 103376,b30bd69fa8f63cb2,start X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-06-03 06:36:19 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!logbridge.uoregon.edu!uwm.edu!rpi!not-for-mail From: Hyman Rosen Newsgroups: comp.lang.ada,comp.lang.c++.moderated Subject: C bug of the day Date: 3 Jun 2003 09:38:34 -0400 Organization: unknown Sender: cppmods@netlab.cs.rpi.edu Message-ID: NNTP-Posting-Host: netlab.cs.rpi.edu X-Original-Date: Tue, 03 Jun 2003 03:48:40 GMT X-Submission-Address: c++-submit@netlab.cs.rpi.edu X-Auth: PGPMoose V1.1 PGP comp.lang.c++.moderated iQBVAwUAPtyk1kHMCo9UcraBAQF5jwH/YI8jxdnKyhPCYBUnLVZJ20EtRHxh+l5c FDoC7XMp4BE9i3gLAgEntdpGK4EYEkVwbx9V2M9ki8zlWTr6dpxTvw== =OXQH Xref: archiver1.google.com comp.lang.ada:38470 comp.lang.c++.moderated:67594 Date: 2003-06-03T09:38:34-04:00 List-Id: One of the trading systems we use in our company had been crashing every night for a week while trying to run a certain batch procedure. We finally traced the problem to the usual C bugaboo, a buffer overflow. In this case, the program was trying to form an SQL command for entering a row of data into a database table. Even though the program is written in C++, the programmers apparently decided that the way to produce the SQL was to format it into a fixed-size buffer. Unfortunately, they decided to use '%f' to format some floating-point numbers, and more unfortunately, a situation arose in our data where a number was on the order of 10**141. Boom! We don't have the source code, but they do ship the program as relinkable libraries. We found the offending string and patched the binary to use %g instead of %f. Sigh. [ Send an empty e-mail to c++-help@netlab.cs.rpi.edu for info ] [ about comp.lang.c++.moderated. First time posters: do this! ]