[thegeomaster]

FWIW, idiomatically copying a string in C is done using strncpy, and that doesn't introduce any RCE bugs. I would not in my right mind defend the premise that C is just as safe as Scala, but the truth is that sloppy programming can do harm in every language imaginable. It just becomes about damage control.

[wglb]

Sorry, if you get the third argument of strncpy wrong, you are right back in the area of trouble.

[pbsd]

Even when you don't get it wrong (i.e., no out-of-bounds writes), you can still get out-of-bounds reads because strncpy does not always null-terminate strings. C strings suck.

[dezgeg]

To be fair, the real issue here is 'strncpy', whose destination argument does _not_ operate on C strings, despite that it's name starts with 'str'.

[tptacek]

We can repeat this subthread with examples of UAF bugs, which are equally common, if anyone really wants to get the full flavor of how wrong it is to suggest that C is comparably as safe as Haskell.

[dezgeg]

My post wasn't meant as disagreement on the issue of whether some languages are safer than others. I apologize if this is is how the message was received. I was trying to point out that w.r.t. C strings, using strncpy is almost always the wrong thing to do.

[tptacek]

Oh, sorry, I didn't mean to sound like I was snarking at you!