Anonymous | Login | 2021-01-16 23:24 MSK | ![]() |
My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0025860 | Community | [OCCT] OCCT:Modeling Data | public | 2015-02-25 04:04 | 2016-07-22 12:00 | ||||
Reporter | Aaron Michalk | ||||||||
Assigned To | bugmaster | ||||||||
Priority | normal | Severity | crash | ||||||
Status | closed | Resolution | fixed | ||||||
Platform | Windows | OS | VC++ 2013 | OS Version | 64 bit | ||||
Product Version | [OCCT] 6.8.0 | ||||||||
Target Version | [OCCT] 6.9.0 | Fixed in Version | [OCCT] 6.9.0 | ||||||
Summary | 0025860: Buffer overrun in TopTools_ShapeSet::Read | ||||||||
Description | I have observed an occasional crash with the following code in TopTools_ShapeSet::Read: for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--) vers[lv] = '\0'; The problem is that strlen(vers) returns 0 for the first line of a written shape. The variable lv gets assigned the value 4294967295 in 32 bit. | ||||||||
Steps To Reproduce | Write a shape and read it back in while stepping through in the debugger. example in Draw: box a 1 1 1 save a restore a | ||||||||
Additional information and documentation updates | I suggest the following replacement: if (vers[0] != '\0') { for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--) vers[lv] = '\0'; } | ||||||||
Tags | No tags attached. | ||||||||
Test case number | Not needed | ||||||||
Attached Files | |||||||||
![]() |
|
(0037986) msv (developer) 2015-03-02 11:34 |
Dear Aaron, Please provide more details to reproduce this problem. A draw script or a simple main program would be appreciated. What is a shape? If it is a special one, please provide it too. |
(0038003) git (administrator) 2015-03-02 16:06 |
Branch CR25860 has been created by msv. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae Detailed log of new commits: Author: msv Date: Mon Mar 2 16:06:30 2015 +0300 0025860: Buffer overrun in TopTools_ShapeSet::Read Avoid out of array bounds read/write. |
(0038004) msv (developer) 2015-03-02 16:12 |
In regular conditions the exception does not occur (it depends on the value contained in vers[-1]). Therefore not need in creation of test case for OCC database. I have adopted the proposed patch and put it in the branch CR25860. |
(0038005) msv (developer) 2015-03-02 16:13 |
Please test. |
(0038107) mkv (tester) 2015-03-04 18:39 |
Dear BugMaster, Branch CR25860 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae Number of compiler warnings: occt component : Linux: 18 (18 on master) Windows: 2 (2 on master) products component : Linux: 11 (11 on master) Windows: 0 (4 on master) Regressions/Differences: No regressions/differences Testing cases: Not needed Testing on Linux: occt component : Total MEMORY difference: 91907831 / 91851071 Total CPU difference: 59405.63999999993 / 59519.03999999998 products component : Total MEMORY difference: 23624941 / 23611884 Total CPU difference: 16705.03999999998 / 16674.609999999982 Testing on Windows: occt component : Total MEMORY difference: 57944744 / 57944267 Total CPU difference: 34618.5 / 38926.375 products component : Total MEMORY difference: 16205673 / 16209637 Total CPU difference: 13028.546875 / 9535.171875 There are no differences in images found by testdiff. |
(0038620) git (administrator) 2015-03-18 13:39 |
Branch CR25860 has been deleted by inv. SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae |
![]() |
|||
occt: master 5149c3f3
Timestamp: 2015-03-02 13:06:30 Author: msv Committer: bugmaster [ Details ] [ Diff ] |
0025860: Buffer overrun in TopTools_ShapeSet::Read Avoid out of array bounds read/write. |
||
mod - src/TopTools/TopTools_ShapeSet.cxx | [ Diff ] [ File ] | ||
![]() |
|||
Date Modified | Username | Field | Change |
2015-02-25 04:04 | Aaron Michalk | New Issue | |
2015-02-25 04:04 | Aaron Michalk | Assigned To | => msv |
2015-03-02 11:34 | msv | Note Added: 0037986 | |
2015-03-02 11:34 | msv | Assigned To | msv => Aaron Michalk |
2015-03-02 11:34 | msv | Status | new => feedback |
2015-03-02 16:06 | git | Note Added: 0038003 | |
2015-03-02 16:12 | msv | Note Added: 0038004 | |
2015-03-02 16:12 | msv | Assigned To | Aaron Michalk => msv |
2015-03-02 16:12 | msv | Status | feedback => resolved |
2015-03-02 16:12 | msv | Steps to Reproduce Updated | View Revisions |
2015-03-02 16:13 | msv | Note Added: 0038005 | |
2015-03-02 16:13 | msv | Assigned To | msv => bugmaster |
2015-03-02 16:13 | msv | Status | resolved => reviewed |
2015-03-02 17:03 | mkv | Assigned To | bugmaster => mkv |
2015-03-04 18:39 | mkv | Note Added: 0038107 | |
2015-03-04 18:39 | mkv | Assigned To | mkv => bugmaster |
2015-03-04 18:39 | mkv | Status | reviewed => tested |
2015-03-04 18:39 | mkv | Test case number | => Not needed |
2015-03-06 15:13 | bugmaster | Changeset attached | => occt master 5149c3f3 |
2015-03-06 15:13 | bugmaster | Status | tested => verified |
2015-03-06 15:13 | bugmaster | Resolution | open => fixed |
2015-03-10 13:00 | bugmaster | Target Version | => 6.9.0 |
2015-03-18 13:39 | git | Note Added: 0038620 | |
2015-05-14 15:28 | aiv | Status | verified => closed |
2015-05-14 15:31 | aiv | Fixed in Version | => 6.9.0 |
2016-07-22 12:00 | msv | Relationship added | related to 0027703 |
Copyright © 2000 - 2021 MantisBT Team |