View Issue Details

IDProjectCategoryView StatusLast Update
0025860CommunityOCCT:Modeling Datapublic2016-07-22 12:00
ReporterAaron Michalk Assigned Tobugmaster  
PrioritynormalSeveritycrash 
Status closedResolutionfixed 
PlatformWindowsOSVC++ 2013 
Product Version6.8.0 
Target Version6.9.0Fixed in Version6.9.0 
Summary0025860: Buffer overrun in TopTools_ShapeSet::Read
DescriptionI have observed an occasional crash with the following code in TopTools_ShapeSet::Read:

    for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
      vers[lv] = '\0';

The problem is that strlen(vers) returns 0 for the first line of a written shape. The variable lv gets assigned the value 4294967295 in 32 bit.
Steps To ReproduceWrite a shape and read it back in while stepping through in the debugger.

example in Draw:

box a 1 1 1
save a
restore a
Additional information
and documentation updates
I suggest the following replacement:

    if (vers[0] != '\0') {
      for (Standard_Size lv = (strlen(vers)- 1); lv > 1 && (vers[lv] == '\r' || vers[lv] == '\n') ;lv--)
        vers[lv] = '\0';
    }
TagsNo tags attached.
Test case numberNot needed

Activities

msv

2015-03-02 11:34

developer   ~0037986

Dear Aaron,
Please provide more details to reproduce this problem. A draw script or a simple main program would be appreciated. What is a shape? If it is a special one, please provide it too.

git

2015-03-02 16:06

administrator   ~0038003

Branch CR25860 has been created by msv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae


Detailed log of new commits:

Author: msv
Date: Mon Mar 2 16:06:30 2015 +0300

    0025860: Buffer overrun in TopTools_ShapeSet::Read
    
    Avoid out of array bounds read/write.

msv

2015-03-02 16:12

developer   ~0038004

In regular conditions the exception does not occur (it depends on the value contained in vers[-1]). Therefore not need in creation of test case for OCC database.

I have adopted the proposed patch and put it in the branch CR25860.

msv

2015-03-02 16:13

developer   ~0038005

Please test.

mkv

2015-03-04 18:39

tester   ~0038107

Dear BugMaster,
Branch CR25860 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode.
SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

Number of compiler warnings:

occt component :
Linux: 18 (18 on master)
Windows: 2 (2 on master)

products component :
Linux: 11 (11 on master)
Windows: 0 (4 on master)

Regressions/Differences:
No regressions/differences

Testing cases:
Not needed

Testing on Linux:
occt component :
Total MEMORY difference: 91907831 / 91851071
Total CPU difference: 59405.63999999993 / 59519.03999999998
products component :
Total MEMORY difference: 23624941 / 23611884
Total CPU difference: 16705.03999999998 / 16674.609999999982

Testing on Windows:
occt component :
Total MEMORY difference: 57944744 / 57944267
Total CPU difference: 34618.5 / 38926.375
products component :
Total MEMORY difference: 16205673 / 16209637
Total CPU difference: 13028.546875 / 9535.171875

There are no differences in images found by testdiff.

git

2015-03-18 13:39

administrator   ~0038620

Branch CR25860 has been deleted by inv.

SHA-1: 66e9f14ff1ed4edfa6aabf211e312bd37e8569ae

Related Changesets

occt: master 5149c3f3

2015-03-02 13:06:30

msv


Committer: bugmaster Details Diff
0025860: Buffer overrun in TopTools_ShapeSet::Read

Avoid out of array bounds read/write.
Affected Issues
0025860
mod - src/TopTools/TopTools_ShapeSet.cxx Diff File

Issue History

Date Modified Username Field Change
2015-02-25 04:04 Aaron Michalk New Issue
2015-02-25 04:04 Aaron Michalk Assigned To => msv
2015-03-02 11:34 msv Note Added: 0037986
2015-03-02 11:34 msv Assigned To msv => Aaron Michalk
2015-03-02 11:34 msv Status new => feedback
2015-03-02 16:06 git Note Added: 0038003
2015-03-02 16:12 msv Note Added: 0038004
2015-03-02 16:12 msv Assigned To Aaron Michalk => msv
2015-03-02 16:12 msv Status feedback => resolved
2015-03-02 16:12 msv Steps to Reproduce Updated
2015-03-02 16:13 msv Note Added: 0038005
2015-03-02 16:13 msv Assigned To msv => bugmaster
2015-03-02 16:13 msv Status resolved => reviewed
2015-03-02 17:03 mkv Assigned To bugmaster => mkv
2015-03-04 18:39 mkv Note Added: 0038107
2015-03-04 18:39 mkv Assigned To mkv => bugmaster
2015-03-04 18:39 mkv Status reviewed => tested
2015-03-04 18:39 mkv Test case number => Not needed
2015-03-06 15:13 bugmaster Changeset attached => occt master 5149c3f3
2015-03-06 15:13 bugmaster Status tested => verified
2015-03-06 15:13 bugmaster Resolution open => fixed
2015-03-10 13:00 bugmaster Target Version => 6.9.0
2015-03-18 13:39 git Note Added: 0038620
2015-05-14 15:28 aiv Status verified => closed
2015-05-14 15:31 aiv Fixed in Version => 6.9.0