You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "James E. King III (JIRA)" <ji...@apache.org> on 2018/07/18 14:06:00 UTC
[jira] [Commented] (THRIFT-1687) Use Microsoft SafeInt (or
reasonable alternative) to protect against integer arithmetic attacks
[ https://issues.apache.org/jira/browse/THRIFT-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16547881#comment-16547881 ]
James E. King III commented on THRIFT-1687:
-------------------------------------------
I would prefer to see us build on linux and on windows with "warnings as errors" to catch these issues, and then liberally apply `boost::numeric_cast<>` to resolve them.
> Use Microsoft SafeInt (or reasonable alternative) to protect against integer arithmetic attacks
> -----------------------------------------------------------------------------------------------
>
> Key: THRIFT-1687
> URL: https://issues.apache.org/jira/browse/THRIFT-1687
> Project: Thrift
> Issue Type: Improvement
> Components: C++ - Library
> Affects Versions: 0.8, 0.9
> Environment: This is a concern on all OSes. Microsoft SafeInt works on the major desktop OSes.
> Reporter: Ben Craig
> Priority: Major
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> There are a lot of scary casts and integer truncations in the C++ Thrift library. Microsoft has a template class that will throw an exception when any kind of integer overflow has happened ( http://safeint.codeplex.com/ ). SafeInt is released under the Microsoft Public License, which ASF has deemed suitable as a dependency for Apache products ( http://www.apache.org/legal/resolved.html#category-a ).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)