For example (found via 19 Sins, Viega, Howard and LeBlanc): http://seclists.org/lists/bugtraq/2004/Nov/0097.html
I know Michael reads webappsec, he may have more examples.In my own code testing, I look for silly behaviors if a user can insert a large or negative number. You'd be surprised how often it occurs. There is no excuse not to include basic range checks when performing data validation.
thanks, Andrew On 29/03/2006, at 2:30 PM, [EMAIL PROTECTED] wrote:
No you dont. Arrays are all bounds checked; ..., that is, the following code will throw an exception: ================================ class Foo { static { int[] m = new int[2]; System.out.println(m[34]); } } ================================ What do you mean by "overflow"? Do you mean this? ================================ class Foo { static { int m = Integer.MAX_VALUE; int k = Integer.MAX_VALUE + Integer.MAX_VALUE; System.out.println(m); System.out.println(k); System.exit(0); } } ================================ if so, I don't see how that is an issue. -- Michael On 3/29/06, Andrew van der Stock <[EMAIL PROTECTED]> wrote:This is not quite true. Java does not prevent integer overflows (it will not throw an exception). So you still have to be careful about array indexes. Andrew
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php