MantisBT
Mantis Bug Tracker Workflow

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0025860Community[OCCT] OCCT:Modeling Datapublic2015-02-25 04:042016-07-22 12:00
ReporterAaron Michalk 
Assigned Tobugmaster 
PrioritynormalSeveritycrash 
StatusclosedResolutionfixed 
PlatformWindowsOSVC++ 2013OS Version64 bit
Product Version[OCCT] 6.8.0 
Target Version[OCCT] 6.9.0Fixed in Version[OCCT] 6.9.0 
Summary0025860: Buffer overrun in TopTools_ShapeSet::Read
DescriptionI have observed an occasional crash with the following code in TopTools_ShapeSet::Read:

    for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
      vers[lv] = '\0';

The problem is that strlen(vers) returns 0 for the first line of a written shape. The variable lv gets assigned the value 4294967295 in 32 bit.
Steps To ReproduceWrite a shape and read it back in while stepping through in the debugger.

example in Draw:

box a 1 1 1
save a
restore a
Additional information
and documentation updates
I suggest the following replacement:

    if (vers[0] != '\0') {
      for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
        vers[lv] = '\0';
    }
TagsNo tags attached.
Test case numberNot needed
Attached Files

- Relationships

-  Notes
(0037986)
msv (developer)
2015-03-02 11:34

Dear Aaron,
Please provide more details to reproduce this problem. A draw script or a simple main program would be appreciated. What is a shape? If it is a special one, please provide it too.
(0038003)
git (administrator)
2015-03-02 16:06

Branch CR25860 has been created by msv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae


Detailed log of new commits:

Author: msv
Date: Mon Mar 2 16:06:30 2015 +0300

    0025860: Buffer overrun in TopTools_ShapeSet::Read
    
    Avoid out of array bounds read/write.
(0038004)
msv (developer)
2015-03-02 16:12

In regular conditions the exception does not occur (it depends on the value contained in vers[-1]). Therefore not need in creation of test case for OCC database.

I have adopted the proposed patch and put it in the branch CR25860.
(0038005)
msv (developer)
2015-03-02 16:13

Please test.
(0038107)
mkv (tester)
2015-03-04 18:39

Dear BugMaster,
Branch CR25860 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode.
SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

Number of compiler warnings:

occt component :
Linux: 18 (18 on master)
Windows: 2 (2 on master)

products component :
Linux: 11 (11 on master)
Windows: 0 (4 on master)

Regressions/Differences:
No regressions/differences

Testing cases:
Not needed

Testing on Linux:
occt component :
Total MEMORY difference: 91907831 / 91851071
Total CPU difference: 59405.63999999993 / 59519.03999999998
products component :
Total MEMORY difference: 23624941 / 23611884
Total CPU difference: 16705.03999999998 / 16674.609999999982

Testing on Windows:
occt component :
Total MEMORY difference: 57944744 / 57944267
Total CPU difference: 34618.5 / 38926.375
products component :
Total MEMORY difference: 16205673 / 16209637
Total CPU difference: 13028.546875 / 9535.171875

There are no differences in images found by testdiff.
(0038620)
git (administrator)
2015-03-18 13:39

Branch CR25860 has been deleted by inv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

- Related Changesets
occt: master 5149c3f3
Timestamp: 2015-03-02 13:06:30
Author: msv
Committer: bugmaster
Details ] Diff ]
0025860: Buffer overrun in TopTools_ShapeSet::Read

Avoid out of array bounds read/write.
mod - src/TopTools/TopTools_ShapeSet.cxx Diff ] File ]

- Issue History
Date Modified Username Field Change
2015-02-25 04:04 Aaron Michalk New Issue
2015-02-25 04:04 Aaron Michalk Assigned To => msv
2015-03-02 11:34 msv Note Added: 0037986
2015-03-02 11:34 msv Assigned To msv => Aaron Michalk
2015-03-02 11:34 msv Status new => feedback
2015-03-02 16:06 git Note Added: 0038003
2015-03-02 16:12 msv Note Added: 0038004
2015-03-02 16:12 msv Assigned To Aaron Michalk => msv
2015-03-02 16:12 msv Status feedback => resolved
2015-03-02 16:12 msv Steps to Reproduce Updated View Revisions
2015-03-02 16:13 msv Note Added: 0038005
2015-03-02 16:13 msv Assigned To msv => bugmaster
2015-03-02 16:13 msv Status resolved => reviewed
2015-03-02 17:03 mkv Assigned To bugmaster => mkv
2015-03-04 18:39 mkv Note Added: 0038107
2015-03-04 18:39 mkv Assigned To mkv => bugmaster
2015-03-04 18:39 mkv Status reviewed => tested
2015-03-04 18:39 mkv Test case number => Not needed
2015-03-06 15:13 bugmaster Changeset attached => occt master 5149c3f3
2015-03-06 15:13 bugmaster Status tested => verified
2015-03-06 15:13 bugmaster Resolution open => fixed
2015-03-10 13:00 bugmaster Target Version => 6.9.0
2015-03-18 13:39 git Note Added: 0038620
2015-05-14 15:28 user533 Status verified => closed
2015-05-14 15:31 user533 Fixed in Version => 6.9.0
2016-07-22 12:00 msv Relationship added related to 0027703


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker