That would not be the reason to stop code review though. There may be still things to be done to reduce the severity of potential future bugs.
Newly added code can introduce and/or expose issues. The idea is to make changes in the existing code that make the exploitation of a future bug more challenging. This is good to do without introducing new issues like performance degradation, etc.
Given a heap based buffer overflow, one of the common attack scenario is to overwrite a function pointer in any structure. If, however, the function pointer is at the end of the structure, the overflow may:
- Not be long enough to overwrite the function pointer
- Overwrite the variables preceding the function pointer and so destroy the internal state of the application. This could lead the application to bail out early before the function gets called.
A more generic suggestion in security point of view is like this. If possible, arrange the variables to have
- the sensitive ones at the end of the structure
- the ones that can bail the execution out early at the beginning of the structure
