https://bz.apache.org/bugzilla/show_bug.cgi?id=60634
--- Comment #3 from shqking <[email protected]> --- (In reply to Yann Ylavic from comment #1) > Since the main (caller of mkrecord) exits when a non-zero value is returned, > it does not access ctx->out so this is not really an issue, right? Thanks for your reply. According to the C Standard, 6.2.4 [ISO/IEC 9899:2011] (https://www.securecoding.cert.org/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations), the address of local variables escaping through output parameters is one kind of undefined behaviors, and can lead to an exploitable vulnerability. Yes. We agree with you in that, this issue cannot cause any severe impact so far. But in our opinion, this issue seems like a "time bomb" and we'd better solve it earlier. Also your revision r1781509 makes it safe. Thanks. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
