MantisBT
Mantis Bug Tracker Workflow

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0023843Community[OCCT] OCCT:Foundation Classespublic2013-03-20 12:452013-12-19 13:55
ReporterPawel 
Assigned Toomy 
PrioritynormalSeverityminor 
StatusclosedResolutionfixed 
PlatformAOSLOS VersionL
Product Version[OCCT] 6.5.4 
Target Version[OCCT] 6.7.0Fixed in Version[OCCT] 6.7.0 
Summary0023843: scanf without field width limits can crash with huge input data.
DescriptionProblem occurs in multiple files in TKernel, TKAdvTools and TKVoxel (consult the attached image for details).

cppcheck message:

Summary: scanf without field width limits can crash with huge input data.
Message: scanf without field width limits can crash with huge input data. Add a field width specifier to fix this problem:
    %s => %20s

Sample program that can crash:

#include <stdio.h>
int main()
{
    char c[5];
    scanf("%s", c);
    return 0;
}

To make it crash, type in more than 5 characters.
TagsNo tags attached.
Test case numberNot needed
Attached Filespng file icon scanf_warning.png (35,146 bytes) 2013-03-20 12:45

- Relationships
parent of 0023996closedPawel Width 50 given in format string (no. 2) is larger than destination buffer 'vale[50]' 

-  Notes
(0023827)
omy (developer)
2013-03-20 17:42

Dear abv,
I've pushed a fix into branch CR23843.
Please, review.
(0023828)
abv (manager)
2013-03-21 10:47

When using memset(), it is preferable to use sizeof() to get size of the buffer instead of using hard-coded value; this would prevent possible errors due to different size used in the call and in the buffer declaration (like in Units_UnitsDictionary.cxx, line 164, or Units_Lexicon.cxx, line 92). The same applies to other calls.

In calls to getline() or sprintf() do not forget that the last symbol in the buffer should be reserved for end-of-string symbol ('\0'), thus in most cases number of bytes allowed to be put in the buffer should be its size -1.
(0023832)
omy (developer)
2013-03-21 15:18

Dear abv,
I've fixed the mistakes you mentioned above.
Please, review.
(0023949)
abv (manager)
2013-04-01 13:23

In Interface_Static.cxx, please make variable defmess local (not global static).
In Voxel_Reader.cxx, please correct sizes of the buffers vs. sprintf() formats.
(0023962)
omy (developer)
2013-04-02 12:00

Dear abv,
The branch was rebased onto current master and includes last fixes, you asked about.
Please, review.
(0023988)
abv (manager)
2013-04-04 06:53

No remarks, please test
(0024026)
mkv (tester)
2013-04-05 21:21

Dear BugMaster,

Branch CR23843_1 (and products from GIT master) was compiled on Linux and Windows platforms and tested without rebase.
SHA-1: 71326b29c26aa0ffed9ca44259104fdbbfdad520

Number of compiler warnings:

occt component :
Linux: 4 (3 on master) - Interface
Windows: 13 (11 on master) - Interface
http://jenkins-test-01.nnov.opencascade.com:8080/user/mnt/my-views/view/Warnings/job/mnt-CR23843_1-master_build_occt_linux/1/warnings12Result/? [^]
http://jenkins-test-01.nnov.opencascade.com:8080/user/mnt/my-views/view/CR23843_1/job/mnt-CR23843_1-master_build_occt_windows/1/warnings23Result/new/? [^]

products component :
Linux: 0 (0 on master)
Windows: 50 (50 on master)

Regressions:
No regressions

Improvements:
No improvements

Testing cases:
Not needed

Testing on Linux:
Total MEMORY difference: 238921008 / 238903524
Total CPU difference: 16961.850000000173 / 16289.690000000137

Testing on Windows:
Total MEMORY difference: 351039052 / 351749312
Total CPU difference: 20966.171875 / 20720.78125

There are not serious differences in images found by testdiff.
(0024044)
omy (developer)
2013-04-09 14:31

Dear abv,
I've fixed the noticed compiler warning.
Please, review.
(0024045)
abv (manager)
2013-04-09 14:47

Please restore defmess as static in Interface_Static.cxx... I did not realize it was used in return statements
(0024047)
omy (developer)
2013-04-09 14:57

Dear abv,
I've reverted the changes int the file.
Please, review.
(0024048)
abv (manager)
2013-04-09 15:13

No remarks, please test
(0024141)
apn (administrator)
2013-04-15 17:26

Dear BugMaster,

Branch CR23843_1 (and products from GIT master) was compiled on Linux and Windows platforms and tested with rebase.
SHA-1: a6845d08b96c648d3bc0f7d10841b15fafc31403

Number of compiler warnings:

occt component :
Linux: 2 (2 on master)
Windows: 1 (11 on master)

products component :
Linux: 0 (0 on master)
Windows: 50 (50 on master)

Regressions:
No regressions

Improvements:
No improvements

Testing cases:
Not needed

Testing on Linux:
Total MEMORY difference: 244700820 / 244823288
Total CPU difference: 13744.750000000071 / 19944.249999999734

Testing on Windows:
Total MEMORY difference: 356203372 / 355731632
Total CPU difference: 16812.65625 / 20857.28125

There are not serious differences in images found by testdiff.

- Related Changesets
occt: master d0e4e578
Timestamp: 2013-04-26 11:29:28
Author: omy
Details ] Diff ]
0023843: scanf without field width limits can crash with huge input data.

Corrected width specifiers and use of buffer arrays in *printf and *scanf functions.
Removed unreferenced variable warning.
Got rid of compiler warning (returning address of local variable or temporary).
mod - src/Dynamic/Dynamic_FuzzyDefinitionsDictionary.cxx Diff ] File ]
mod - src/Dynamic/Dynamic_MethodDefinitionsDictionary.cxx Diff ] File ]
mod - src/Interface/Interface_Static.cxx Diff ] File ]
mod - src/Materials/Materials_MaterialDefinition.cxx Diff ] File ]
mod - src/Materials/Materials_MaterialsDictionary.cxx Diff ] File ]
mod - src/Units/Units_Lexicon.cxx Diff ] File ]
mod - src/Units/Units_UnitsDictionary.cxx Diff ] File ]
mod - src/Voxel/Voxel_Reader.cxx Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-03-20 12:45 Pawel New Issue
2013-03-20 12:45 Pawel Assigned To => bugmaster
2013-03-20 12:45 Pawel File Added: scanf_warning.png
2013-03-20 12:55 abv Assigned To bugmaster => omy
2013-03-20 12:55 abv Status new => assigned
2013-03-20 12:55 abv Target Version => 6.7.0
2013-03-20 17:42 omy Note Added: 0023827
2013-03-20 17:42 omy Assigned To omy => abv
2013-03-20 17:42 omy Status assigned => resolved
2013-03-21 10:47 abv Note Added: 0023828
2013-03-21 10:47 abv Assigned To abv => omy
2013-03-21 10:47 abv Status resolved => assigned
2013-03-21 15:18 omy Note Added: 0023832
2013-03-21 15:18 omy Assigned To omy => abv
2013-03-21 15:18 omy Status assigned => resolved
2013-04-01 13:23 abv Note Added: 0023949
2013-04-01 13:23 abv Assigned To abv => omy
2013-04-01 13:23 abv Status resolved => assigned
2013-04-02 12:00 omy Note Added: 0023962
2013-04-02 12:00 omy Assigned To omy => abv
2013-04-02 12:00 omy Status assigned => resolved
2013-04-04 06:53 abv Note Added: 0023988
2013-04-04 06:53 abv Assigned To abv => bugmaster
2013-04-04 06:53 abv Status resolved => reviewed
2013-04-04 14:52 mkv Assigned To bugmaster => mkv
2013-04-05 21:21 mkv Note Added: 0024026
2013-04-05 21:22 mkv Test case number => Not needed
2013-04-05 21:22 mkv Assigned To mkv => omy
2013-04-05 21:22 mkv Status reviewed => assigned
2013-04-09 14:31 omy Note Added: 0024044
2013-04-09 14:31 omy Assigned To omy => abv
2013-04-09 14:31 omy Status assigned => resolved
2013-04-09 14:47 abv Note Added: 0024045
2013-04-09 14:47 abv Assigned To abv => omy
2013-04-09 14:47 abv Status resolved => assigned
2013-04-09 14:57 omy Note Added: 0024047
2013-04-09 14:57 omy Assigned To omy => abv
2013-04-09 14:57 omy Status assigned => resolved
2013-04-09 15:13 abv Note Added: 0024048
2013-04-09 15:13 abv Assigned To abv => bugmaster
2013-04-09 15:13 abv Status resolved => reviewed
2013-04-12 15:45 apn Assigned To bugmaster => apn
2013-04-15 17:26 apn Note Added: 0024141
2013-04-15 17:26 apn Assigned To apn => bugmaster
2013-04-15 17:26 apn Status reviewed => tested
2013-04-30 10:28 omy Changeset attached => occt master d0e4e578
2013-04-30 10:28 omy Assigned To bugmaster => omy
2013-04-30 10:28 omy Status tested => verified
2013-04-30 10:28 omy Resolution open => fixed
2013-05-27 13:10 Pawel Relationship added parent of 0023996
2013-12-19 13:53 bugmaster Status verified => closed
2013-12-19 13:55 bugmaster Fixed in Version => 6.7.0


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker