MantisBT - Community
View Issue Details
0025860Community[OCCT] OCCT:Modeling Datapublic2015-02-25 04:042016-07-22 12:00
Aaron Michalk 
bugmaster 
normalcrash 
closedfixed 
WindowsVC++ 201364 bit
[OCCT] 6.8.0 
[OCCT] 6.9.0[OCCT] 6.9.0 
Not needed
0025860: Buffer overrun in TopTools_ShapeSet::Read
I have observed an occasional crash with the following code in TopTools_ShapeSet::Read:

    for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
      vers[lv] = '\0';

The problem is that strlen(vers) returns 0 for the first line of a written shape. The variable lv gets assigned the value 4294967295 in 32 bit.
Write a shape and read it back in while stepping through in the debugger.

example in Draw:

box a 1 1 1
save a
restore a
I suggest the following replacement:

    if (vers[0] != '\0') {
      for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
        vers[lv] = '\0';
    }
No tags attached.
Issue History
2015-02-25 04:04Aaron MichalkNew Issue
2015-02-25 04:04Aaron MichalkAssigned To => msv
2015-03-02 11:34msvNote Added: 0037986
2015-03-02 11:34msvAssigned Tomsv => Aaron Michalk
2015-03-02 11:34msvStatusnew => feedback
2015-03-02 16:06gitNote Added: 0038003
2015-03-02 16:12msvNote Added: 0038004
2015-03-02 16:12msvAssigned ToAaron Michalk => msv
2015-03-02 16:12msvStatusfeedback => resolved
2015-03-02 16:12msvSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=9498#r9498
2015-03-02 16:13msvNote Added: 0038005
2015-03-02 16:13msvAssigned Tomsv => bugmaster
2015-03-02 16:13msvStatusresolved => reviewed
2015-03-02 17:03mkvAssigned Tobugmaster => mkv
2015-03-04 18:39mkvNote Added: 0038107
2015-03-04 18:39mkvAssigned Tomkv => bugmaster
2015-03-04 18:39mkvStatusreviewed => tested
2015-03-04 18:39mkvTest case number => Not needed
2015-03-06 15:13bugmasterChangeset attached => occt master 5149c3f3
2015-03-06 15:13bugmasterStatustested => verified
2015-03-06 15:13bugmasterResolutionopen => fixed
2015-03-10 13:00bugmasterTarget Version => 6.9.0
2015-03-18 13:39gitNote Added: 0038620
2015-05-14 15:28aivStatusverified => closed
2015-05-14 15:31aivFixed in Version => 6.9.0
2016-07-22 12:00msvRelationship addedrelated to 0027703

Notes
(0037986)
msv   
2015-03-02 11:34   
Dear Aaron,
Please provide more details to reproduce this problem. A draw script or a simple main program would be appreciated. What is a shape? If it is a special one, please provide it too.
(0038003)
git   
2015-03-02 16:06   
Branch CR25860 has been created by msv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae


Detailed log of new commits:

Author: msv
Date: Mon Mar 2 16:06:30 2015 +0300

    0025860: Buffer overrun in TopTools_ShapeSet::Read
    
    Avoid out of array bounds read/write.
(0038004)
msv   
2015-03-02 16:12   
In regular conditions the exception does not occur (it depends on the value contained in vers[-1]). Therefore not need in creation of test case for OCC database.

I have adopted the proposed patch and put it in the branch CR25860.
(0038005)
msv   
2015-03-02 16:13   
Please test.
(0038107)
mkv   
2015-03-04 18:39   
Dear BugMaster,
Branch CR25860 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode.
SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

Number of compiler warnings:

occt component :
Linux: 18 (18 on master)
Windows: 2 (2 on master)

products component :
Linux: 11 (11 on master)
Windows: 0 (4 on master)

Regressions/Differences:
No regressions/differences

Testing cases:
Not needed

Testing on Linux:
occt component :
Total MEMORY difference: 91907831 / 91851071
Total CPU difference: 59405.63999999993 / 59519.03999999998
products component :
Total MEMORY difference: 23624941 / 23611884
Total CPU difference: 16705.03999999998 / 16674.609999999982

Testing on Windows:
occt component :
Total MEMORY difference: 57944744 / 57944267
Total CPU difference: 34618.5 / 38926.375
products component :
Total MEMORY difference: 16205673 / 16209637
Total CPU difference: 13028.546875 / 9535.171875

There are no differences in images found by testdiff.
(0038620)
git   
2015-03-18 13:39   
Branch CR25860 has been deleted by inv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae