View Issue Details

IDProjectCategoryView StatusLast Update
0031010Open CASCADEOCCT:Foundation Classespublic2020-12-02 17:12
ReporterabvAssigned Toabv 
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version7.4.0 
Target Version7.5.0Fixed in Version7.5.0 
Summary0031010: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in OSD_Path::IsUncExtendedPath()
DescriptionWhen running OCCT built on Linux with Clang with option -fsanitize=address, error heap-buffer-overflow is reported on test collections n osdpath:

QAOsdPathType D:\
=================================================================
==8474==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b52b4 at pc 0x0000004b56cc bp 0x7ffd60364300 sp 0x7ffd60363ab0
READ of size 8 at 0x6020001b52b4 thread T0
    #0 0x4b56cb in __interceptor_memcmp.part.77 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b56cb)
    0000001 0x7f08f9b8cbc4 in OSD_Path::IsUncExtendedPath(char const*) /home/abv/occt/src/OSD/OSD_Path.hxx:251:76
    0000002 0x7f08f9b7f570 in QAOsdPathType(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QANCollection/QANCollection_Test.cxx:1262:7
    #3 0x7f0907a89349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #4 0x7f0907a96b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    #5 0x7f0901e26b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    #6 0x7f0901e28fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000007 0x7f0901ec787a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    0000008 0x7f0901ec7756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000009 0x7f0907a980bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    #10 0x7f0907a7edad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000011 0x7f0907a7fb90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    #12 0x7f0907a7d37b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000013 0x7f0907a7c973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000014 0x7f0907a99328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    0000015 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    0000016 0x7f090085282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    0000017 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x6020001b52b4 is located 0 bytes to the right of 4-byte region [0x6020001b52b0,0x6020001b52b4)
allocated by thread T0 here:
    #0 0x4deef0 in calloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deef0)
    0000001 0x7f09033ef658 in Standard_MMgrRaw::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:41:39
    0000002 0x7f09033e57ac in Standard::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard.cxx:240:43
    #3 0x7f090340fc68 in Allocate(unsigned long) /home/abv/occt/src/TCollection/TCollection_AsciiString.cxx:34:31
    #4 0x7f090340fcfe in TCollection_AsciiString::TCollection_AsciiString(char const*) /home/abv/occt/src/TCollection/TCollection_AsciiString.cxx:72:14
    #5 0x7f08f9b7f48a in QAOsdPathType(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QANCollection/QANCollection_Test.cxx:1237:27
    #6 0x7f0907a89349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000007 0x7f0907a96b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000008 0x7f0901e26b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b56cb) in __interceptor_memcmp.part.77
Shadow bytes around the buggy address:
  0x0c048002ea00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c048002ea10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c048002ea20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c048002ea30: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c048002ea40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c048002ea50: fa fa fd fd fa fa[04]fa fa fa fa fa fa fa fa fa
  0x0c048002ea60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002ea70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002ea80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002ea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048002eaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==8474==ABORTING
Steps To Reproducetest collections n osdpath
TagsNo tags attached.
Test case numberNot needed

Relationships

child of 0030557 newvpozdyayev Coding - eliminate errors reported by -fsanitize 
child of 0030692 closedbugmaster Data Exchange - introduce base framework RWMesh for importing mesh data formats into XDE document 

Activities

git

2019-09-30 21:38

administrator   ~0087645

Branch CR31010 has been created by abv.

SHA-1: 884b730e64de62e7cf40457d38e21f4e2eedcce7


Detailed log of new commits:

Author: abv
Date: Mon Sep 30 21:37:55 2019 +0300

    0031010: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in OSD_Path::IsUncExtendedPath()
    
    Use of memcmp is replaced by strncmp to avoid possible read access out of string buffer size

abv

2019-10-01 13:35

manager   ~0087656

The fix is pushed to CR31010, please review. Tests are OK, see Jenkins job CR31010-abv (failed test on Debian is OK after restart).

git

2019-10-23 11:51

administrator   ~0088470

Branch CR31010 has been deleted by kgv.

SHA-1: 884b730e64de62e7cf40457d38e21f4e2eedcce7

Related Changesets

occt: master 683b72c3

2019-09-30 18:37:55

abv


Committer: abv Details Diff
0031010: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in OSD_Path::IsUncExtendedPath()

Use of memcmp is replaced by strncmp to avoid possible read access out of string buffer size
Affected Issues
0031010
mod - src/OSD/OSD_Path.hxx Diff File

Issue History

Date Modified Username Field Change
2019-09-28 09:37 abv New Issue
2019-09-28 09:37 abv Assigned To => abv
2019-09-28 09:37 abv Relationship added child of 0030557
2019-09-30 21:38 git Note Added: 0087645
2019-09-30 21:58 kgv Relationship added related to 0030692
2019-10-01 13:35 abv Note Added: 0087656
2019-10-01 13:35 abv Status new => resolved
2019-10-01 13:35 abv Steps to Reproduce Updated
2019-10-01 13:35 abv Assigned To abv => kgv
2019-10-01 13:38 kgv Assigned To kgv => bugmaster
2019-10-01 13:38 kgv Status resolved => reviewed
2019-10-01 13:38 kgv Product Version => 7.4.0
2019-10-01 13:39 kgv Relationship replaced child of 0030692
2019-10-23 01:07 abv Changeset attached => occt master 683b72c3
2019-10-23 01:07 abv Assigned To bugmaster => abv
2019-10-23 01:07 abv Status reviewed => verified
2019-10-23 01:07 abv Resolution open => fixed
2019-10-23 11:51 git Note Added: 0088470
2019-10-23 17:01 apn Test case number => Not needed
2020-12-02 16:40 emo Fixed in Version => 7.5.0
2020-12-02 17:12 emo Status verified => closed