0025860: Buffer overrun in TopTools_ShapeSet::Read

ID	Project	Category	View Status	Date Submitted	Last Update

0025860	Community	OCCT:Modeling Data	public	2015-02-25 04:04	2016-07-22 12:00

Reporter	Aaron Michalk	Assigned To	bugmaster
Priority	normal	Severity	crash
Status	closed	Resolution	fixed
Platform	Windows	OS	VC++ 2013
Product Version	6.8.0
Target Version	6.9.0	Fixed in Version	6.9.0

Summary	0025860: Buffer overrun in TopTools_ShapeSet::Read
Description	I have observed an occasional crash with the following code in TopTools_ShapeSet::Read: for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' \|\| vers[lv] == '\n') ;lv--) vers[lv] = '\0'; The problem is that strlen(vers) returns 0 for the first line of a written shape. The variable lv gets assigned the value 4294967295 in 32 bit.
Steps To Reproduce	Write a shape and read it back in while stepping through in the debugger. example in Draw: box a 1 1 1 save a restore a
Additional information and documentation updates	I suggest the following replacement: if (vers[0] != '\0') { for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' \|\| vers[lv] == '\n') ;lv--) vers[lv] = '\0'; }
Tags	No tags attached.

Test case number	Not needed

~~msv~~ 2015-03-02 11:34 developer ~0037986	Dear Aaron, Please provide more details to reproduce this problem. A draw script or a simple main program would be appreciated. What is a shape? If it is a special one, please provide it too.

git 2015-03-02 16:06 administrator ~0038003	Branch CR25860 has been created by msv. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae Detailed log of new commits: Author: msv Date: Mon Mar 2 16:06:30 2015 +0300 0025860: Buffer overrun in TopTools_ShapeSet::Read Avoid out of array bounds read/write.

~~msv~~ 2015-03-02 16:12 developer ~0038004	In regular conditions the exception does not occur (it depends on the value contained in vers[-1]). Therefore not need in creation of test case for OCC database. I have adopted the proposed patch and put it in the branch CR25860.

~~msv~~ 2015-03-02 16:13 developer ~0038005	Please test.

~~mkv~~ 2015-03-04 18:39 tester ~0038107	Dear BugMaster, Branch CR25860 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae Number of compiler warnings: occt component : Linux: 18 (18 on master) Windows: 2 (2 on master) products component : Linux: 11 (11 on master) Windows: 0 (4 on master) Regressions/Differences: No regressions/differences Testing cases: Not needed Testing on Linux: occt component : Total MEMORY difference: 91907831 / 91851071 Total CPU difference: 59405.63999999993 / 59519.03999999998 products component : Total MEMORY difference: 23624941 / 23611884 Total CPU difference: 16705.03999999998 / 16674.609999999982 Testing on Windows: occt component : Total MEMORY difference: 57944744 / 57944267 Total CPU difference: 34618.5 / 38926.375 products component : Total MEMORY difference: 16205673 / 16209637 Total CPU difference: 13028.546875 / 9535.171875 There are no differences in images found by testdiff.

git 2015-03-18 13:39 administrator ~0038620	Branch CR25860 has been deleted by inv. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

Date Modified	Username	Field	Change
2015-02-25 04:04	Aaron Michalk	New Issue
2015-02-25 04:04	Aaron Michalk	Assigned To	=> msv
2015-03-02 11:34	~~msv~~	Note Added: 0037986
2015-03-02 11:34	~~msv~~	Assigned To	msv => Aaron Michalk
2015-03-02 11:34	~~msv~~	Status	new => feedback
2015-03-02 16:06	git	Note Added: 0038003
2015-03-02 16:12	~~msv~~	Note Added: 0038004
2015-03-02 16:12	~~msv~~	Assigned To	Aaron Michalk => msv
2015-03-02 16:12	~~msv~~	Status	feedback => resolved
2015-03-02 16:12	~~msv~~	Steps to Reproduce Updated
2015-03-02 16:13	~~msv~~	Note Added: 0038005
2015-03-02 16:13	~~msv~~	Assigned To	msv => bugmaster
2015-03-02 16:13	~~msv~~	Status	resolved => reviewed
2015-03-02 17:03	~~mkv~~	Assigned To	bugmaster => mkv
2015-03-04 18:39	~~mkv~~	Note Added: 0038107
2015-03-04 18:39	~~mkv~~	Assigned To	mkv => bugmaster
2015-03-04 18:39	~~mkv~~	Status	reviewed => tested
2015-03-04 18:39	~~mkv~~	Test case number	=> Not needed
2015-03-06 15:13	bugmaster	Changeset attached	=> occt master 5149c3f3
2015-03-06 15:13	bugmaster	Status	tested => verified
2015-03-06 15:13	bugmaster	Resolution	open => fixed
2015-03-10 13:00	bugmaster	Target Version	=> 6.9.0
2015-03-18 13:39	git	Note Added: 0038620
2015-05-14 15:28	~~aiv~~	Status	verified => closed
2015-05-14 15:31	~~aiv~~	Fixed in Version	=> 6.9.0

occt: master 5149c3f3 2015-03-02 13:06:30 ~~msv~~ Committer: bugmaster Details Diff	0025860: Buffer overrun in TopTools_ShapeSet::Read Avoid out of array bounds read/write.		Affected Issues 0025860
	mod - src/TopTools/TopTools_ShapeSet.cxx		Diff File

View Issue Details

Activities

Related Changesets

Issue History