MantisBT
Mantis Bug Tracker Workflow

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0030518Community[OCCT] OCCT:Foundation Classespublic2019-02-25 23:402019-03-24 16:38
Reportergalbramc 
Assigned Totizmaylo 
PrioritynormalSeveritycrash 
StatusassignedResolutionopen 
PlatformLinuxOSUbuntuOS Version16.04
Product Version[OCCT] 7.3.0 
Target Version[OCCT] 7.4.0*Fixed in Version 
Summary0030518: Foundation Classes - NCollection_IndexedDataMap array out of bounds
DescriptionIterating over a NCollection_IndexedDataMap can access out of array bounds. The attached example compiles with the llvm sanitizer and when executed gives the following error:

./NCollection_BaseMap
Going out of array bounds!
=================================================================
==19306==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x618000000bb0 at pc 0x00000040b8f2 bp 0x7ffe95c2dc10 sp 0x7ffe95c2dc08
READ of size 8 at 0x618000000bb0 thread T0
    #0 0x40b8f1 in NCollection_IndexedDataMap<TopoDS_Shape, NCollection_List<TopoDS_Shape>, TopTools_ShapeMapHasher>::Iterator::Next() opencascade-7.3/build_memcheck/install/include/opencascade/NCollection_IndexedDataMap.hxx:111
    0000001 0x4086d8 in main NCollection_IndexedDataMap.cpp:39
    0000002 0x7f24c20eef44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #3 0x407ec8 (NCollection_IndexedDataMap+0x407ec8)

0x618000000bb0 is located 0 bytes to the right of 816-byte region [0x618000000880,0x618000000bb0)
allocated by thread T0 here:
    #0 0x7f24c41726a8 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda6a8)
    0000001 0x7f24c3e96998 in Standard_MMgrRaw::Allocate(unsigned long) opencascade-7.3/src/Standard/Standard_MMgrRaw.cxx:41
    0000002 0x7f24c3e8b651 in Standard::Allocate(unsigned long) opencascade-7.3/src/Standard/Standard.cxx:240
    #3 0x7f24c3f0d59f in NCollection_BaseAllocator::Allocate(unsigned long) opencascade-7.3/src/NCollection/NCollection_BaseAllocator.cxx:37
    #4 0x7f24c3f14779 in NCollection_BaseMap::BeginResize(int, int&, NCollection_ListNode**&, NCollection_ListNode**&) const opencascade-7.3/src/NCollection/NCollection_BaseMap.cxx:45
    #5 0x40c5fa in NCollection_IndexedDataMap<TopoDS_Shape, NCollection_List<TopoDS_Shape>, TopTools_ShapeMapHasher>::ReSize(int) opencascade-7.3/build_memcheck/install/include/opencascade/NCollection_IndexedDataMap.hxx:223
    #6 0x40b384 in NCollection_IndexedDataMap<TopoDS_Shape, NCollection_List<TopoDS_Shape>, TopTools_ShapeMapHasher>::Add(TopoDS_Shape const&, NCollection_List<TopoDS_Shape> const&) opencascade-7.3/build_memcheck/install/include/opencascade/NCollection_IndexedDataMap.hxx:256
    0000007 0x4084f2 in main NCollection_BaseMap_array_out_of_bound/NCollection_BaseMap.cpp:32
    0000008 0x7f24c20eef44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow opencascade-7.3/build_memcheck/install/include/opencascade/NCollection_IndexedDataMap.hxx:111 in NCollection_IndexedDataMap<TopoDS_Shape, NCollection_List<TopoDS_Shape>, TopTools_ShapeMapHasher>::Iterator::Next()
Shadow bytes around the buggy address:
  0x0c307fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fff8170: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c307fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==19306==ABORTING


I found changing NColloection_BaseMap.hxx

  //! Resizable
  Standard_Boolean Resizable() const
  { return IsEmpty() || (mySize > myNbBuckets); }

to

  //! Resizable
  Standard_Boolean Resizable() const
  { return IsEmpty() || (mySize >= myNbBuckets); }

avoids the error, but I don't know that this is the correct solution.
Steps To ReproduceCompile and run the attached example. You might need the -fuse-ld=gold flag on certain platforms. g++ must be 4.9 or newer.
TagsNo tags attached.
Test case number
Attached Filestgz file icon NCollection_IndexedDataMap_array_out_of_bound.tgz (1,223 bytes) 2019-02-25 23:40

- Relationships
child of 0030557newkgv Open CASCADE Coding - eliminate errors reported by -fsanitize 

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2019-02-25 23:40 galbramc New Issue
2019-02-25 23:40 galbramc Assigned To => msv
2019-02-25 23:40 galbramc File Added: NCollection_IndexedDataMap_array_out_of_bound.tgz
2019-02-26 10:21 msv Assigned To msv => abv
2019-02-26 10:21 msv Category OCCT:Modeling Algorithms => OCCT:Foundation Classes
2019-03-13 13:54 kgv Relationship added child of 0030557
2019-03-13 13:55 kgv Summary NCollection_IndexedDataMap array out of bounds => Foundation Classes - NCollection_IndexedDataMap array out of bounds
2019-03-24 16:38 kgv Assigned To abv => tizmaylo
2019-03-24 16:38 kgv Status new => assigned
2019-03-24 16:38 kgv Target Version => 7.4.0*


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker