[VIDEO PLAYBACK] DAVID MALAN: And you can eventually overflow it by trying to use more memory than you should have. And a buffer overflow is typically-- [END PLAYBACK] DAVID MALAN: So this year, we have more overflows than ever in CS50, where I took care to actually enumerate a number of different types of overflows, buffer overflow and, of course, stack overflow, with a site with which students generally gain familiarity during the semester. So it's nice to give them a sense of the etymology of that. DOUG LLOYD: Now they know where it came from, exactly. DAVID MALAN: Yeah. But in C, we have the ability to actually have this conversation and actually talk about an exploit. So here's some sample code that Wikipedia's own page on buffer overflow exploits, looks at, or for stack overruns specifically, and even though it's a pretty contrived example, this one, where you're really just copying some memory into a place where it really shouldn't be because you're overrunning how much you've asked for, it does demonstrate visually what's going on. Which is nice. And it allows us to talk, albeit briefly, about return addresses and what it means to overflow the stack. And you can see graphically how those values are overriding bytes that they shouldn't be. DOUG LLOYD: Exactly. DAVID MALAN: In fact, my one regret is just how contrived this example is. And I think in reflecting on this, both now and in the recent months since this went live, we should probably come up with, I think, a better, less contrived example than just copying arbitrary memory around like this. Like hard-coding 12 is kind of hard to justify here. DOUG LLOYD: Yeah, well, for people who might be watching this that actually went through CS50 this year, our quiz this year actually had a question about buffer overflow-- or our test, rather, had a question about buffer overflow. DAVID MALAN: You can still read about it all too often when some software gets hacked or some server and it's because of memory bounds not being checked. So it's a problem that's still with us today, certainly. DOUG LLOYD: Yeah, this example is a bit contrived, but anything where you're taking input from a user and copying it into a buffer that has a fixed size is another maybe less contrived example. DAVID MALAN: But it's good. I mean, I like how our students, ultimately, are exiting the course even understanding the nuances of these kinds of attacks. And indeed, this is just one instance of our discussion throughout the semester of various security exploits. And we'll come to another one altogether when we look at SQL, when we look at web programming more generally. So it's kind of nice to show that even in our command line environment, there are threats ever present. DOUG LLOYD: And in years past, we've actually taken a lot of these security threats and actually just kind of buffered them until the end of the year. DAVID MALAN: In a separate security lecture. DOUG LLOYD: In a separate lecture entirely. DAVID MALAN: --which are now woven into the semester itself. DOUG LLOYD: It's good to present these things, I think, at the time when they're-- DAVID MALAN: Just like these threats. DOUG LLOYD: --fresh in the student's mind. Yeah, exactly.