undefined | Better HN

0 pointsghoward4y ago0 comments

This is entirely reductive.

I have written a substantial enough C codebase used in the real world that uses C string handling functions. I did that because the codebase needed zero dependencies other than libc. Yet as far as anyone who's looked at the code can tell, there are no vulnerabilities because I learned how to use realloc() and grow the allocation if needed before calling the string handling functions. It's not hard; it's just busywork.

0 comments

2 comments · 1 top-level

pjmlp4y ago· 1 in thread

Has the code been fuzzed and subject to static analysis as well?

ghowardOP4y ago

Yes. Absolutely. [1]

I use scan-build, but I also used to use Coverity until they had that vulnerability a few months back.

[1]: https://git.yzena.com/gavin/bc/src/branch/master/manuals/dev...

j / k navigate · click thread line to collapse