MantisBT - Community
View Issue Details
0023843Community[OCCT] OCCT:Foundation Classespublic2013-03-20 12:452013-12-19 13:55
Pawel 
omy 
normalminor 
closedfixed 
ALL
[OCCT] 6.5.4 
[OCCT] 6.7.0[OCCT] 6.7.0 
Not needed
0023843: scanf without field width limits can crash with huge input data.
Problem occurs in multiple files in TKernel, TKAdvTools and TKVoxel (consult the attached image for details).

cppcheck message:

Summary: scanf without field width limits can crash with huge input data.
Message: scanf without field width limits can crash with huge input data. Add a field width specifier to fix this problem:
    %s => %20s

Sample program that can crash:

#include <stdio.h>
int main()
{
    char c[5];
    scanf("%s", c);
    return 0;
}

To make it crash, type in more than 5 characters.
No tags attached.
parent of 0023996closed Pawel Width 50 given in format string (no. 2) is larger than destination buffer 'vale[50]' 
png scanf_warning.png (35,146) 2013-03-20 12:45
https://tracker.dev.opencascade.org/
Issue History
2013-03-20 12:45PawelNew Issue
2013-03-20 12:45PawelAssigned To => bugmaster
2013-03-20 12:45PawelFile Added: scanf_warning.png
2013-03-20 12:55abvAssigned Tobugmaster => omy
2013-03-20 12:55abvStatusnew => assigned
2013-03-20 12:55abvTarget Version => 6.7.0
2013-03-20 17:42omyNote Added: 0023827
2013-03-20 17:42omyAssigned Toomy => abv
2013-03-20 17:42omyStatusassigned => resolved
2013-03-21 10:47abvNote Added: 0023828
2013-03-21 10:47abvAssigned Toabv => omy
2013-03-21 10:47abvStatusresolved => assigned
2013-03-21 15:18omyNote Added: 0023832
2013-03-21 15:18omyAssigned Toomy => abv
2013-03-21 15:18omyStatusassigned => resolved
2013-04-01 13:23abvNote Added: 0023949
2013-04-01 13:23abvAssigned Toabv => omy
2013-04-01 13:23abvStatusresolved => assigned
2013-04-02 12:00omyNote Added: 0023962
2013-04-02 12:00omyAssigned Toomy => abv
2013-04-02 12:00omyStatusassigned => resolved
2013-04-04 06:53abvNote Added: 0023988
2013-04-04 06:53abvAssigned Toabv => bugmaster
2013-04-04 06:53abvStatusresolved => reviewed
2013-04-04 14:52mkvAssigned Tobugmaster => mkv
2013-04-05 21:21mkvNote Added: 0024026
2013-04-05 21:22mkvTest case number => Not needed
2013-04-05 21:22mkvAssigned Tomkv => omy
2013-04-05 21:22mkvStatusreviewed => assigned
2013-04-09 14:31omyNote Added: 0024044
2013-04-09 14:31omyAssigned Toomy => abv
2013-04-09 14:31omyStatusassigned => resolved
2013-04-09 14:47abvNote Added: 0024045
2013-04-09 14:47abvAssigned Toabv => omy
2013-04-09 14:47abvStatusresolved => assigned
2013-04-09 14:57omyNote Added: 0024047
2013-04-09 14:57omyAssigned Toomy => abv
2013-04-09 14:57omyStatusassigned => resolved
2013-04-09 15:13abvNote Added: 0024048
2013-04-09 15:13abvAssigned Toabv => bugmaster
2013-04-09 15:13abvStatusresolved => reviewed
2013-04-12 15:45apnAssigned Tobugmaster => apn
2013-04-15 17:26apnNote Added: 0024141
2013-04-15 17:26apnAssigned Toapn => bugmaster
2013-04-15 17:26apnStatusreviewed => tested
2013-04-30 10:28omyChangeset attached => occt master d0e4e578
2013-04-30 10:28omyAssigned Tobugmaster => omy
2013-04-30 10:28omyStatustested => verified
2013-04-30 10:28omyResolutionopen => fixed
2013-05-27 13:10PawelRelationship addedparent of 0023996
2013-12-19 13:53bugmasterStatusverified => closed
2013-12-19 13:55bugmasterFixed in Version => 6.7.0

Notes
(0023827)
omy   
2013-03-20 17:42   
Dear abv,
I've pushed a fix into branch CR23843.
Please, review.
(0023828)
abv   
2013-03-21 10:47   
When using memset(), it is preferable to use sizeof() to get size of the buffer instead of using hard-coded value; this would prevent possible errors due to different size used in the call and in the buffer declaration (like in Units_UnitsDictionary.cxx, line 164, or Units_Lexicon.cxx, line 92). The same applies to other calls.

In calls to getline() or sprintf() do not forget that the last symbol in the buffer should be reserved for end-of-string symbol ('\0'), thus in most cases number of bytes allowed to be put in the buffer should be its size -1.
(0023832)
omy   
2013-03-21 15:18   
Dear abv,
I've fixed the mistakes you mentioned above.
Please, review.
(0023949)
abv   
2013-04-01 13:23   
In Interface_Static.cxx, please make variable defmess local (not global static).
In Voxel_Reader.cxx, please correct sizes of the buffers vs. sprintf() formats.
(0023962)
omy   
2013-04-02 12:00   
Dear abv,
The branch was rebased onto current master and includes last fixes, you asked about.
Please, review.
(0023988)
abv   
2013-04-04 06:53   
No remarks, please test
(0024026)
mkv   
2013-04-05 21:21   
Dear BugMaster,

Branch CR23843_1 (and products from GIT master) was compiled on Linux and Windows platforms and tested without rebase.
SHA-1: 71326b29c26aa0ffed9ca44259104fdbbfdad520

Number of compiler warnings:

occt component :
Linux: 4 (3 on master) - Interface
Windows: 13 (11 on master) - Interface
http://jenkins-test-01.nnov.opencascade.com:8080/user/mnt/my-views/view/Warnings/job/mnt-CR23843_1-master_build_occt_linux/1/warnings12Result/? [^]
http://jenkins-test-01.nnov.opencascade.com:8080/user/mnt/my-views/view/CR23843_1/job/mnt-CR23843_1-master_build_occt_windows/1/warnings23Result/new/? [^]

products component :
Linux: 0 (0 on master)
Windows: 50 (50 on master)

Regressions:
No regressions

Improvements:
No improvements

Testing cases:
Not needed

Testing on Linux:
Total MEMORY difference: 238921008 / 238903524
Total CPU difference: 16961.850000000173 / 16289.690000000137

Testing on Windows:
Total MEMORY difference: 351039052 / 351749312
Total CPU difference: 20966.171875 / 20720.78125

There are not serious differences in images found by testdiff.
(0024044)
omy   
2013-04-09 14:31   
Dear abv,
I've fixed the noticed compiler warning.
Please, review.
(0024045)
abv   
2013-04-09 14:47   
Please restore defmess as static in Interface_Static.cxx... I did not realize it was used in return statements
(0024047)
omy   
2013-04-09 14:57   
Dear abv,
I've reverted the changes int the file.
Please, review.
(0024048)
abv   
2013-04-09 15:13   
No remarks, please test
(0024141)
apn   
2013-04-15 17:26   
Dear BugMaster,

Branch CR23843_1 (and products from GIT master) was compiled on Linux and Windows platforms and tested with rebase.
SHA-1: a6845d08b96c648d3bc0f7d10841b15fafc31403

Number of compiler warnings:

occt component :
Linux: 2 (2 on master)
Windows: 1 (11 on master)

products component :
Linux: 0 (0 on master)
Windows: 50 (50 on master)

Regressions:
No regressions

Improvements:
No improvements

Testing cases:
Not needed

Testing on Linux:
Total MEMORY difference: 244700820 / 244823288
Total CPU difference: 13744.750000000071 / 19944.249999999734

Testing on Windows:
Total MEMORY difference: 356203372 / 355731632
Total CPU difference: 16812.65625 / 20857.28125

There are not serious differences in images found by testdiff.