MantisBT - Community
View Issue Details
0028327Community[OCCT] OCCT:Modeling Datapublic2016-12-29 20:362017-09-29 16:24
Istvan Csanady 
apn 
normalcrash 
closedfixed 
 
[OCCT] 7.2.0[OCCT] 7.2.0 
Not needed
0028327: BSplCLib can cause memory corruption in degenerated cases
Some methods of BSplCLib are directly using the memory address of the knots array. This can lead to reading invalid memory addresses and/or crashes. If the indexing operator would be used instead, this would just simply lead to throwing an exception instead of reading memory garbage. I am pretty sure that on a modern C++ compiler this would not lead to performance fallback (at least it did not in our case), but indeed it needs more investigation.
Patch is attached.
Not available
No tags attached.
diff use_index_operator.diff (1,418) 2016-12-29 20:36
https://tracker.dev.opencascade.org/
Issue History
2016-12-29 20:36Istvan CsanadyNew Issue
2016-12-29 20:36Istvan CsanadyAssigned To => msv
2016-12-29 20:36Istvan CsanadyFile Added: use_index_operator.diff
2017-02-01 11:32msvNote Added: 0063280
2017-02-01 11:32msvAssigned Tomsv => Istvan Csanady
2017-02-01 11:32msvStatusnew => feedback
2017-02-01 11:44msvNote Added: 0063281
2017-02-01 16:33Istvan CsanadyNote Added: 0063303
2017-02-01 17:16gitNote Added: 0063310
2017-02-01 17:17msvAssigned ToIstvan Csanady => msv
2017-02-01 17:17msvStatusfeedback => resolved
2017-02-01 17:17msvSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=15991#r15991
2017-02-01 17:17msvNote Added: 0063311
2017-02-01 17:17msvAssigned Tomsv => bugmaster
2017-02-01 17:17msvStatusresolved => reviewed
2017-02-01 17:23apvAssigned Tobugmaster => apv
2017-02-01 18:37apvTest case number => Not needed
2017-02-03 13:53apvNote Added: 0063390
2017-02-03 13:53apvAssigned Toapv => bugmaster
2017-02-03 13:53apvStatusreviewed => tested
2017-02-10 14:33apnChangeset attached => occt master c13de402
2017-02-10 14:33apnAssigned Tobugmaster => apn
2017-02-10 14:33apnStatustested => verified
2017-02-10 14:33apnResolutionopen => fixed
2017-03-20 14:36gitNote Added: 0064510
2017-09-29 16:20aivFixed in Version => 7.2.0
2017-09-29 16:24aivStatusverified => closed

Notes
(0063280)
msv   
2017-02-01 11:32   
Istvan, do you have a test case for which BSplCLib::KnotForm goes out of array bounds?
(0063281)
msv   
2017-02-01 11:44   
I see the similar code for BSplCLib::MultForm, near the line 640.
(0063303)
Istvan Csanady   
2017-02-01 16:33   
One of our users was trying to import an IGS file, and it always crashed for him. We figured out from the crash logs that this was the problem, but we did not have access to the IGS file.
(0063310)
git   
2017-02-01 17:16   
Branch CR28327 has been created by msv.

SHA-1: 511348a5de706af9b501b7c793cb09d40636d599


Detailed log of new commits:

Author: msv
Date: Wed Feb 1 11:35:50 2017 +0300

    0028327: BSplCLib can cause memory corruption in degenerated cases
    
    The code of the methods BSplCLib::KnotForm and BSplCLib::MultForm has been made safe by giving up using of address of array item for iteration on the Array1. Also the checking for degenerated case has been added to prevent out of bounds exception.
(0063311)
msv   
2017-02-01 17:17   
Please test.
(0063390)
apv   
2017-02-03 13:53   
Dear BugMaster,

Branch CR28327 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested.
SHA-1: 511348a5de706af9b501b7c793cb09d40636d599

Number of compiler warnings:
occt component:
   Linux: 0 (0 on master)
   Windows: 0 (0 on master)
   MasOS: 0 (0 on master)
products component:
   Linux: 63
   Windows: 0
   MacOS: 1146

Regressions/Differences:
Not detected

Testing cases:
Not needed

Testing on Linux:
Total MEMORY difference: 92389727 / 92303976 [+0.09%]
Total CPU difference: 19771.190000000177 / 19914.260000000217 [-0.72%]

Testing on Windows:
Total MEMORY difference: 57618548 / 57618048 [+0.00%]
Total CPU difference: 18559.04896749855 / 18683.178963198647 [-0.66%]
(0064510)
git   
2017-03-20 14:36   
Branch CR28327 has been deleted by inv.

SHA-1: 511348a5de706af9b501b7c793cb09d40636d599