[QuickCheck] Status of Haskell Platform 2014.2.0.0

Mark Lentczner mark.lentczner at gmail.com
Tue Jul 15 23:14:37 BST 2014


On Tue, Jul 15, 2014 at 1:59 PM, Bryan O'Sullivan <bos at serpentine.com>
wrote:

> Well, it was rather late to hear that you weren't going to upgrade
> attoparsec, too ;-)
>


On Sun, Mar 30, 2014 at 1:06 PM, Mark Lentczner <mark.lentczner at gmail.com>
 wrote:

> SO, In anticipation of releasing a HP shortly (1 month?) after GHC 7.8...
> I'd like to get going on nailing down package versions.
>

>
        , incLib "attoparsec"               "0.10.4.0"
>



> In brief, an attacker can DoS a user of attoparsec by handing them a
> floating point number with a sufficiently large exponent (e.g.
> 1e1000000000). This will cause it to try to create an Integer with the
> given number of digits, thus possibly OOMing a machine or crashing a
> process.
>

But only if you use the Data.Atooparsec.Text parsers double, number, and
rational parser, right?

- Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://projects.haskell.org/pipermail/quickcheck/attachments/20140715/30fe4912/attachment-0001.htm>


More information about the QuickCheck mailing list