On 06/12/2014 12:04 PM, Jonathan Wakely wrote:
What can we do about it?
How common is it to use std::vector with qsort, rather than
std::sort(vec.begin(), vec.end()), which does the right thing?
Our very own vec::qsort has the same problem, so I'd wager that it's
fairly common.
We could make vector::data() guarantee a non-null pointer with
_FORTIFY_SOURCE, but I'd rather not do so in "unfortified" code. Some
users would object to the extra check needed.
Or we could remove the nonnull attributes, so that the additional checks
are not necessary.
--
Florian Weimer / Red Hat Product Security Team
