0028327: BSplCLib can cause memory corruption in degenerated cases

ID	Project	Category	View Status	Date Submitted	Last Update

0028327	Community	OCCT:Modeling Data	public	2016-12-29 20:36	2017-09-29 16:24

Reporter	Istvan Csanady	Assigned To	apn
Priority	normal	Severity	crash
Status	closed	Resolution	fixed
Target Version	7.2.0	Fixed in Version	7.2.0

Summary	0028327: BSplCLib can cause memory corruption in degenerated cases
Description	Some methods of BSplCLib are directly using the memory address of the knots array. This can lead to reading invalid memory addresses and/or crashes. If the indexing operator would be used instead, this would just simply lead to throwing an exception instead of reading memory garbage. I am pretty sure that on a modern C++ compiler this would not lead to performance fallback (at least it did not in our case), but indeed it needs more investigation. Patch is attached.
Steps To Reproduce	Not available
Tags	No tags attached.

Test case number	Not needed

Istvan Csanady 2016-12-29 20:36 developer	use_index_operator.diff (1,418 bytes)

~~msv~~ 2017-02-01 11:32 developer ~0063280	Istvan, do you have a test case for which BSplCLib::KnotForm goes out of array bounds?

~~msv~~ 2017-02-01 11:44 developer ~0063281	I see the similar code for BSplCLib::MultForm, near the line 640.

Istvan Csanady 2017-02-01 16:33 developer ~0063303	One of our users was trying to import an IGS file, and it always crashed for him. We figured out from the crash logs that this was the problem, but we did not have access to the IGS file.

git 2017-02-01 17:16 administrator ~0063310	Branch CR28327 has been created by msv. SHA-1: 511348a5de706af9b501b7c793cb09d40636d599 Detailed log of new commits: Author: msv Date: Wed Feb 1 11:35:50 2017 +0300 0028327: BSplCLib can cause memory corruption in degenerated cases The code of the methods BSplCLib::KnotForm and BSplCLib::MultForm has been made safe by giving up using of address of array item for iteration on the Array1. Also the checking for degenerated case has been added to prevent out of bounds exception.

~~msv~~ 2017-02-01 17:17 developer ~0063311	Please test.

~~apv~~ 2017-02-03 13:53 tester ~0063390	Dear BugMaster, Branch CR28327 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested. SHA-1: 511348a5de706af9b501b7c793cb09d40636d599 Number of compiler warnings: occt component: Linux: 0 (0 on master) Windows: 0 (0 on master) MasOS: 0 (0 on master) products component: Linux: 63 Windows: 0 MacOS: 1146 Regressions/Differences: Not detected Testing cases: Not needed Testing on Linux: Total MEMORY difference: 92389727 / 92303976 [+0.09%] Total CPU difference: 19771.190000000177 / 19914.260000000217 [-0.72%] Testing on Windows: Total MEMORY difference: 57618548 / 57618048 [+0.00%] Total CPU difference: 18559.04896749855 / 18683.178963198647 [-0.66%]

git 2017-03-20 14:36 administrator ~0064510	Branch CR28327 has been deleted by inv. SHA-1: 511348a5de706af9b501b7c793cb09d40636d599

occt: master c13de402 2017-02-01 08:35:50 ~~msv~~ Committer: apn Details Diff	0028327: BSplCLib can cause memory corruption in degenerated cases The code of the methods BSplCLib::KnotForm and BSplCLib::MultForm has been made safe by giving up using of address of array item for iteration on the Array1. Also the checking for degenerated case has been added to prevent out of bounds exception.		Affected Issues 0028327
	mod - src/BSplCLib/BSplCLib.cxx		Diff File

Date Modified	Username	Field	Change
2016-12-29 20:36	Istvan Csanady	New Issue
2016-12-29 20:36	Istvan Csanady	Assigned To	=> msv
2016-12-29 20:36	Istvan Csanady	File Added: use_index_operator.diff
2017-02-01 11:32	~~msv~~	Note Added: 0063280
2017-02-01 11:32	~~msv~~	Assigned To	msv => Istvan Csanady
2017-02-01 11:32	~~msv~~	Status	new => feedback
2017-02-01 11:44	~~msv~~	Note Added: 0063281
2017-02-01 16:33	Istvan Csanady	Note Added: 0063303
2017-02-01 17:16	git	Note Added: 0063310
2017-02-01 17:17	~~msv~~	Assigned To	Istvan Csanady => msv
2017-02-01 17:17	~~msv~~	Status	feedback => resolved
2017-02-01 17:17	~~msv~~	Steps to Reproduce Updated
2017-02-01 17:17	~~msv~~	Note Added: 0063311
2017-02-01 17:17	~~msv~~	Assigned To	msv => bugmaster
2017-02-01 17:17	~~msv~~	Status	resolved => reviewed
2017-02-01 17:23	~~apv~~	Assigned To	bugmaster => apv
2017-02-01 18:37	~~apv~~	Test case number	=> Not needed
2017-02-03 13:53	~~apv~~	Note Added: 0063390
2017-02-03 13:53	~~apv~~	Assigned To	apv => bugmaster
2017-02-03 13:53	~~apv~~	Status	reviewed => tested
2017-02-10 14:33	apn	Changeset attached	=> occt master c13de402
2017-02-10 14:33	apn	Assigned To	bugmaster => apn
2017-02-10 14:33	apn	Status	tested => verified
2017-02-10 14:33	apn	Resolution	open => fixed
2017-03-20 14:36	git	Note Added: 0064510
2017-09-29 16:20	~~aiv~~	Fixed in Version	=> 7.2.0
2017-09-29 16:24	~~aiv~~	Status	verified => closed

View Issue Details

Attached Files

Activities

Related Changesets

Issue History