Richard:
> Alternatively, since everyone knows the operating system doesn't separate
> code from data, wouldn't it be good programming practice for application
> developers to do so? So that if a long string arrives in a short
> buffer, it can't get treated as code?
Yes. This is a well known protection that should certainly be applied and
usually is. It's not much different from a sub-editor checking a page. The
extraordinary thing is that a company with such heavy commitments to
software engineering should allow these mistakes to 1) be approved into the
release code base 2) escape the automated code analysis they apply 3) not be
detected in the extensive automated testing they perform. I think Microsoft
suffered a watering down of development expertise after the mid '90's.
Regards, Tony Healy
--------
Now the trouble comes when you can't think of any new features, so you put
in the paperclip, and then you take out the paperclip, and you try to charge
people both times, and they aren't falling for it. Joel Spolsky
www.joelonsoftware.com
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST