<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.9600.19180"></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space">
<DIV dir=ltr align=left><SPAN class=359131419-26112018><FONT color=#0000ff
size=2 face=Arial>Fairly clear that the length of the sequence could be limited
to some small constant plus a maximum length of the payload .. at worst 64
characters for 64-bit NaNs?</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=en-us class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> cfp-interest-bounces@oakapple.net
[mailto:cfp-interest-bounces@oakapple.net] <B>On Behalf Of </B>Jim
Thomas<BR><B>Sent:</B> 26 November 2018 18:33<BR><B>To:</B> Fred J.
Tydeman<BR><B>Cc:</B> CFP<BR><B>Subject:</B> Re: [Cfp-interest] printf, NaN,
infinity<BR></FONT><BR></DIV>
<DIV></DIV>The proposal in Fred’s 10/24 email entails release-to-release
incompatible changes, which needs a strong rationale.
<DIV><BR></DIV>Martin Sebor's paper is at <A
href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2301.htm">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2301.htm</A>.<BR><BR>
<DIV>n-char-sequences are for optional implementation-defined semantics.
The current specification was intended to not burden implementations that
don’t support the semantics.</DIV>
<DIV><BR></DIV>
<DIV>Couldn’t the security problem be addressed by limiting the length of any
n-char-sequence that might appear in printf output of nan(n-char-sequence),
perhaps to the value of an implementation-defined macro? The macro value could
be zero if the implementation never printed n-char-sequences.</DIV>
<DIV><BR></DIV>
<DIV>- Jim Thomas<BR>
<DIV><BR>
<BLOCKQUOTE type="cite">
<DIV>On Nov 26, 2018, at 8:39 AM, Fred J. Tydeman <<A
href="mailto:tydeman@tybor.com">tydeman@tybor.com</A>> wrote:</DIV><BR
class=Apple-interchange-newline>
<DIV>
<DIV>On Mon, 26 Nov 2018 08:27:15 -0800 Jim Thomas wrote:<BR>
<BLOCKQUOTE type="cite"><BR>Is this proposal at the request of WG14? If
so, what exactly was requested?<BR></BLOCKQUOTE><BR>Not exactly.
Martin Sebor presented a paper showing that the output<BR>of the form
NaN(chars) is unbounded, so is a security problem. He<BR>presented an
idea on how to limit that output. The committee did not<BR>like his
idea. So, I decided to come up with my own
solution.<BR><BR><BR><BR>---<BR>Fred J. Tydeman
Tydeman Consulting<BR><A
href="mailto:tydeman@tybor.com">tydeman@tybor.com</A>
Testing, numerics, programming<BR>+1 (702)
608-6093 Vice-chair of PL22.11 (ANSI
"C")<BR>Sample C99+FPCE tests: <A
href="http://www.tybor.com">http://www.tybor.com</A><BR>Savers sleep well,
investors eat well, spenders work
forever.<BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></BLOCKQUOTE></BODY></HTML>