From: Ryan Reilly (rreillyredhawkgaming.com)
Date: Tue Nov 04 2003 - 19:02:30 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pablo,

I assume you're talking about Delphi here. The option that will affect
buffer overflows is the Range Checking option. This will prevent buffer
overflows in array and string functions as long as you aren't using long
string types (which are enabled by default as "string"). Fat lot of
good that does.

It also doesn't handle the case where you pass input into other
libraries, such as system API's. Additionally, it slows your program
down. So, while it may be a good tool for testing, I wouldn't rely on
it to secure your code.

As for the other two options, setting them makes your program throw
exceptions on I/O errors, or integer overflow. If you don't catch the
exceptions, the attacker has still achieved a DoS.

cheers,
Ryan Reilly

pablo gietz wrote:

> Hi Secprogrammers
>
> Here my stupid question.
> If I compile my final build with the checkboxes:
> - Range checking ( Checks that array and string subscripts are within
> bounds. Corresponds to {$R}) .
> - I/O checking (Checks for I/O errors after every I/O call.
> Corresponds to {$I}.)
> - Overflow checking ( Checks overflow for integer operations.
> Corresponds to {$Q}.)
>
> checked . Could this minimize the possibility of occurrences of buffer
> overflows or other similar security holes?
>
>
> Thanks
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]