Re: Public disclosure of discovered vulnerabilities
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: Public disclosure of discovered vulnerabilities

From: Bodo Moeller <bmoeller@acm.org>
Date: Tue May 31 2005 - 08:52:41 CEST



Gregory G Rose <ggr@qualcomm.com>:



>> Does the standard require members the basic character set have


>> to have positive values as character constants such as '0'? If


>> so, I was unaware.



> Unless I'm very much mistaken, 'x' is a constant


> of type int, and will always have a positive


> value. It's only when it's assigned to a char


> variable, which may or may not be signed, that the


> problem creeps in.



This is what one might reasonably expect.  But unfortunately, the


standard says (in section 6.4.4.4 paragraph 10):



    [...]  If an integer character constant contains a single character


    or escape sequence, its value is the one that results when an


    object with type char whose value is that of the single character


    or escape sequence is converted to type int.



The example for this in paragraph 13 is just for the case of an escape


sequence:



    EXAMPLE 2  Consider implementations that use two-complement


    representation for integers and eight bits for objects that have


    type char.  In an implementation in which type char has the same


    range of values as signed char, the integer character constant


    '\xFF' has the value -1; if type char has the same range of values


    as unsigned char, the character constant '\xFF' has the value


    +255.



By paragraph 10, a single character would behave the same as a


corresponding escape sequence (e.g. 'ÿ' is like '\xFF' if the


character set is ISO 8859-1).  Positive values are guaranteed only for


mebers of the basic execution character set, which are the 2x26 letters


A-Z and a-z, the 10 digits 0-9, and the following 29 graphic characters:



    ! " # % & ' ( ) * + , - . / :


    ; < = > ? [ \ ] ^ _ { | } ~



>                    Similarly with the return value


> from the various 'getc' functions/macros (except,


> of course, EOF won't be positive).



The "int" values in the <ctype.h> functions and in "getc" and so on


are different from character constants.  Here, unlike for character


constants, the standard promises that the integer values (apart from


EOF) will come from "unsigned char", not plain "char".


Received on Thu Sep 29 21:39:16 2005