book 

Errata for Secure Programming with Static Analysis

Page 4, third paragraph, line 10: Change "there own worst enemy" to "their own worst enemy"
Page 23 next to last line, change "compliment" to "complement".
Page 52, just below halfway down: Change "Some static analysis tools makes" to "Some static analysis tools make"
Page 73: Remove the quotation mark from the last line in Example 4.1. The regular expression should not match tokens containing a quotation mark.
Page 92 line 9: Change "the use a stack-based" to "the use of a stack-based"
Page 120: Change "data that a user deliver" to "data that the user delivers"
Page 124: Indent trailing "}" to align with the word "try" and add a left-aligned ellipsis (...) to the bottom of the code example.
Page 128, Example 5.6, line 3: Replace "do_not_trustme.com" with "trustme.com.untrustworthy.com". The function strncmp() implements a prefix match not a suffix match, so "trustme.com" must appear at the beginning of the name.
Page 128, Example 5.6, line 6: Replace "sizeof" with "strlen"
Page 136: Add a line break before the trailing dash on the first line so that morse k (-.-) is not split across the line break.
Page 136: Change "whitespace surrounding a . or -" to "whitespace surrounding an optional . or -".
Page 164: Change "interface, passes concatenated" to "interface, it passes concatenated".
Page 164, example 5.30: change "Paramater" to "Parameter"
Page 166, second paragraph, line 5: change "and many dangerous" to "and therefore many dangerous"
Page 202: Change "StirngCbPrintfEx" to "StringCbPrintfEx".
Page 202: Change "StirngCbVPrintfEx" to "StringCbVrintfEx".
Page 219: bottom line: Change "defined the" to "defined in the"
Page 221, Table 6.10, bottom entry: Change "ISO-8869-1" to "ISO-8859-1"
Page 236: Change "twos complement" to "two's complement" in footnote.
Page 277, caption for Example 8.10: Change "canonnical" to "canonical"
Page 292: Remove welcome.jsp from the comma-delimited list.
Page 299: Change "'OR 1=1" to "'OR '1'='1".
Page 301: Change "a value for color..." to "a value for clr".
Page 308, first line of second paragraph: Change "got its started" to "got its start"
Page 320: Change "Content-Length: 212" to "Content-Length: 18".
Page 330, fourth paragraph: Change "Given these somewhat" to "Given even these"
Page 343: Change "down sides" to "downsides".
Page 345: Change "XPath Expresion" to "XPath Expression".
Page 355: Change "<xs:all>" to "<xs:sequence>".
Page 373, last sentence of first paragraph: Change "parse" to "parses". (It's the notation that is parsed, not the data.)
Page 376: Change "GET" to "POST".
Page 387: Change example code to read: 
  sqlQuery = "SELECT item FROM users WHERE login = '"
 	       + user.getLogin() + "'"
	       + " AND password = '"
	       + user.getPassword() + "'";
Page 406: Change "only as good as the best sources" to "only as good as the best source".
Page 412: Change (op == "%") to (op == "&").
Page 415: Change "mlock(cleartext)" to "mlock(cleartext, len)".
Page 445: The text to the far left of the diagram should read "Time 0:" through "Time 8:". Exactly aligned with each of these labels should appear one line of text in either the victim column or the attacker column; never more, never less. To be clear, the alignment should be: Time 0: lstat(...
Time 1: creat(...
Time 2: kill(...
Time 3: stat(...
Time 4: remove(...
Time 5: symlink(...
Time 6: kill(...
Time 7: open(...
Time 8: fstat(....
Remove the trailing = in the bottom-left corner.
Index: Function calls (e.g. free() and chroot( )) appear in some cases with a space between the ( ) and sometimes without (). Normalize to use no space between matched () to avoid duplication and sort-order problems. For example, strcpy() appears twice on page 583, once with a space, once without.
Page 451, second to last line: Change the word "enviorn" to use the code font, like this: "enviorn"
Page 451, second to last line: Change "null" to "NULL"
Index Page 574: Remove incorrect spelling of getConneciton and remove duplicate entries for parametereized, RtlGenRandom, doGet, doPost.