From 70d86ce90730e237353d7b0c0eb763439b36c65c Mon Sep 17 00:00:00 2001
From: wmayer <wmayer@users.sourceforge.net>
Date: Wed, 7 Oct 2015 23:08:03 +0200
Subject: [PATCH] + add security checks to SoBrep nodes

---
 src/Mod/Part/Gui/SoBrepEdgeSet.cpp  | 32 ++++++++++++---
 src/Mod/Part/Gui/SoBrepEdgeSet.h    |  2 +
 src/Mod/Part/Gui/SoBrepFaceSet.cpp  | 61 +++++++++++++++++------------
 src/Mod/Part/Gui/SoBrepPointSet.cpp | 33 +++++++++++++---
 src/Mod/Part/Gui/SoBrepPointSet.h   |  2 +
 5 files changed, 95 insertions(+), 35 deletions(-)

diff --git a/src/Mod/Part/Gui/SoBrepEdgeSet.cpp b/src/Mod/Part/Gui/SoBrepEdgeSet.cpp
index a9b7ed125794..29ee265bb23f 100644
--- a/src/Mod/Part/Gui/SoBrepEdgeSet.cpp
+++ b/src/Mod/Part/Gui/SoBrepEdgeSet.cpp
@@ -50,6 +50,7 @@
 # include <Inventor/elements/SoGLCacheContextElement.h>
 # include <Inventor/elements/SoLineWidthElement.h>
 # include <Inventor/elements/SoPointSizeElement.h>
+# include <Inventor/errors/SoDebugError.h>
 # include <Inventor/errors/SoReadError.h>
 # include <Inventor/details/SoFaceDetail.h>
 # include <Inventor/details/SoLineDetail.h>
@@ -153,7 +154,12 @@ void SoBrepEdgeSet::renderHighlight(SoGLRenderAction *action)
     int num = (int)this->hl.size();
     if (num > 0) {
         const int32_t* id = &(this->hl[0]);
-        renderShape(static_cast<const SoGLCoordinateElement*>(coords), id, num);
+        if (!validIndexes(coords, this->hl)) {
+            SoDebugError::postWarning("SoBrepEdgeSet::renderHighlight", "highlightIndex out of range");
+        }
+        else {
+            renderShape(static_cast<const SoGLCoordinateElement*>(coords), id, num);
+        }
     }
     state->pop();
 }
@@ -192,12 +198,26 @@ void SoBrepEdgeSet::renderSelection(SoGLRenderAction *action)
     if (num > 0) {
         cindices = &(this->sl[0]);
         numcindices = (int)this->sl.size();
-
-        renderShape(static_cast<const SoGLCoordinateElement*>(coords), cindices, numcindices);
+        if (!validIndexes(coords, this->sl)) {
+            SoDebugError::postWarning("SoBrepEdgeSet::renderSelection", "selectionIndex out of range");
+        }
+        else {
+            renderShape(static_cast<const SoGLCoordinateElement*>(coords), cindices, numcindices);
+        }
     }
     state->pop();
 }
 
+bool SoBrepEdgeSet::validIndexes(const SoCoordinateElement* coords, const std::vector<int32_t>& pts) const
+{
+    for (std::vector<int32_t>::const_iterator it = pts.begin(); it != pts.end(); ++it) {
+        if (*it >= coords->getNum()) {
+            return false;
+        }
+    }
+    return true;
+}
+
 static void createIndexArray(const int32_t* segm, int numsegm,
                              const int32_t* cindices, int numcindices,
                              std::vector<int32_t>& out)
@@ -292,8 +312,10 @@ void SoBrepEdgeSet::doAction(SoAction* action)
             switch (selaction->getType()) {
             case Gui::SoSelectionElementAction::Append:
                 {
-                    int start = this->selectionIndex.getNum();
-                    this->selectionIndex.set1Value(start, index);
+                    if (this->selectionIndex.find(index) < 0) {
+                        int start = this->selectionIndex.getNum();
+                        this->selectionIndex.set1Value(start, index);
+                    }
                 }
                 break;
             case Gui::SoSelectionElementAction::Remove:
diff --git a/src/Mod/Part/Gui/SoBrepEdgeSet.h b/src/Mod/Part/Gui/SoBrepEdgeSet.h
index 554b0f922dab..116cc53bdf2f 100644
--- a/src/Mod/Part/Gui/SoBrepEdgeSet.h
+++ b/src/Mod/Part/Gui/SoBrepEdgeSet.h
@@ -33,6 +33,7 @@
 #include <Inventor/elements/SoReplacedElement.h>
 #include <vector>
 
+class SoCoordinateElement;
 class SoGLCoordinateElement;
 class SoTextureCoordinateBundle;
 
@@ -66,6 +67,7 @@ class PartGuiExport SoBrepEdgeSet : public SoIndexedLineSet {
                      int num_vertexindices);
     void renderHighlight(SoGLRenderAction *action);
     void renderSelection(SoGLRenderAction *action);
+    bool validIndexes(const SoCoordinateElement*, const std::vector<int32_t>&) const;
 
 private:
     std::vector<int32_t> hl, sl;
diff --git a/src/Mod/Part/Gui/SoBrepFaceSet.cpp b/src/Mod/Part/Gui/SoBrepFaceSet.cpp
index 935ef74758ab..1d2cc06e7d2c 100644
--- a/src/Mod/Part/Gui/SoBrepFaceSet.cpp
+++ b/src/Mod/Part/Gui/SoBrepFaceSet.cpp
@@ -51,6 +51,7 @@
 # include <Inventor/elements/SoGLCacheContextElement.h>
 # include <Inventor/elements/SoLineWidthElement.h>
 # include <Inventor/elements/SoPointSizeElement.h>
+# include <Inventor/errors/SoDebugError.h>
 # include <Inventor/errors/SoReadError.h>
 # include <Inventor/details/SoFaceDetail.h>
 # include <Inventor/details/SoLineDetail.h>
@@ -134,8 +135,10 @@ void SoBrepFaceSet::doAction(SoAction* action)
             switch (selaction->getType()) {
             case Gui::SoSelectionElementAction::Append:
                 {
-                    int start = this->selectionIndex.getNum();
-                    this->selectionIndex.set1Value(start, index);
+                    if (this->selectionIndex.find(index) < 0) {
+                        int start = this->selectionIndex.getNum();
+                        this->selectionIndex.set1Value(start, index);
+                    }
                 }
                 break;
             case Gui::SoSelectionElementAction::Remove:
@@ -704,33 +707,37 @@ void SoBrepFaceSet::renderHighlight(SoGLRenderAction *action)
     mb.sendFirst(); // make sure we have the correct material
 
     int32_t id = this->highlightIndex.getValue();
+    if (id >= this->partIndex.getNum()) {
+        SoDebugError::postWarning("SoBrepFaceSet::renderHighlight", "highlightIndex out of range");
+    }
+    else {
+        // just in case someone forgot
+        if (!mindices) mindices = cindices;
+        if (!nindices) nindices = cindices;
+        pindices = this->partIndex.getValues(0);
 
-    // just in case someone forgot
-    if (!mindices) mindices = cindices;
-    if (!nindices) nindices = cindices;
-    pindices = this->partIndex.getValues(0);
+        // coords
+        int length = (int)pindices[id]*4;
+        int start=0;
+        for (int i=0;i<id;i++)
+            start+=(int)pindices[i];
+        start *= 4;
 
-    // coords
-    int length = (int)pindices[id]*4;
-    int start=0;
-    for (int i=0;i<id;i++)
-        start+=(int)pindices[i];
-    start *= 4;
-
-    // normals
-    if (nbind == PER_VERTEX_INDEXED)
-        nindices = &(nindices[start]);
-    else if (nbind == PER_VERTEX)
-        normals = &(normals[start]);
-    else 
-        nbind = OVERALL;
+        // normals
+        if (nbind == PER_VERTEX_INDEXED)
+            nindices = &(nindices[start]);
+        else if (nbind == PER_VERTEX)
+            normals = &(normals[start]);
+        else 
+            nbind = OVERALL;
 
-    // materials
-    mbind = OVERALL;
-    doTextures = FALSE;
+        // materials
+        mbind = OVERALL;
+        doTextures = FALSE;
 
-    renderShape(static_cast<const SoGLCoordinateElement*>(coords), &(cindices[start]), length,
-        &(pindices[id]), 1, normals, nindices, &mb, mindices, &tb, tindices, nbind, mbind, doTextures?1:0);
+        renderShape(static_cast<const SoGLCoordinateElement*>(coords), &(cindices[start]), length,
+            &(pindices[id]), 1, normals, nindices, &mb, mindices, &tb, tindices, nbind, mbind, doTextures?1:0);
+    }
     state->pop();
 }
 
@@ -787,6 +794,10 @@ void SoBrepFaceSet::renderSelection(SoGLRenderAction *action)
 
     for (int i=0; i<numSelected; i++) {
         int id = selected[i];
+        if (id >= this->partIndex.getNum()) {
+            SoDebugError::postWarning("SoBrepFaceSet::renderSelection", "selectionIndex out of range");
+            break;
+        }
 
         // coords
         int length = (int)pindices[id]*4;
diff --git a/src/Mod/Part/Gui/SoBrepPointSet.cpp b/src/Mod/Part/Gui/SoBrepPointSet.cpp
index abf7e54b283a..3b43d3dec319 100644
--- a/src/Mod/Part/Gui/SoBrepPointSet.cpp
+++ b/src/Mod/Part/Gui/SoBrepPointSet.cpp
@@ -50,6 +50,7 @@
 # include <Inventor/elements/SoGLCacheContextElement.h>
 # include <Inventor/elements/SoLineWidthElement.h>
 # include <Inventor/elements/SoPointSizeElement.h>
+# include <Inventor/errors/SoDebugError.h>
 # include <Inventor/errors/SoReadError.h>
 # include <Inventor/details/SoFaceDetail.h>
 # include <Inventor/details/SoLineDetail.h>
@@ -143,8 +144,12 @@ void SoBrepPointSet::renderHighlight(SoGLRenderAction *action)
     mb.sendFirst(); // make sure we have the correct material
 
     int32_t id = this->highlightIndex.getValue();
-
-    renderShape(static_cast<const SoGLCoordinateElement*>(coords), &id, 1);
+    if (id < this->startIndex.getValue() || id >= coords->getNum()) {
+        SoDebugError::postWarning("SoBrepPointSet::renderHighlight", "highlightIndex out of range");
+    }
+    else {
+        renderShape(static_cast<const SoGLCoordinateElement*>(coords), &id, 1);
+    }
     state->pop();
 }
 
@@ -173,10 +178,26 @@ void SoBrepPointSet::renderSelection(SoGLRenderAction *action)
     cindices = this->selectionIndex.getValues(0);
     numcindices = this->selectionIndex.getNum();
 
-    renderShape(static_cast<const SoGLCoordinateElement*>(coords), cindices, numcindices);
+    if (!validIndexes(coords, this->startIndex.getValue(), cindices, numcindices)) {
+        SoDebugError::postWarning("SoBrepPointSet::renderSelection", "selectionIndex out of range");
+    }
+    else {
+        renderShape(static_cast<const SoGLCoordinateElement*>(coords), cindices, numcindices);
+    }
     state->pop();
 }
 
+bool SoBrepPointSet::validIndexes(const SoCoordinateElement* coords, int32_t startIndex, const int32_t * cindices, int numcindices) const
+{
+    for (int i=0; i<numcindices; i++) {
+        int32_t id = cindices[i];
+        if (id < startIndex || id >= coords->getNum()) {
+            return false;
+        }
+    }
+    return true;
+}
+
 void SoBrepPointSet::doAction(SoAction* action)
 {
     if (action->getTypeId() == Gui::SoHighlightElementAction::getClassTypeId()) {
@@ -226,8 +247,10 @@ void SoBrepPointSet::doAction(SoAction* action)
             switch (selaction->getType()) {
             case Gui::SoSelectionElementAction::Append:
                 {
-                    int start = this->selectionIndex.getNum();
-                    this->selectionIndex.set1Value(start, index);
+                    if (this->selectionIndex.find(index) < 0) {
+                        int start = this->selectionIndex.getNum();
+                        this->selectionIndex.set1Value(start, index);
+                    }
                 }
                 break;
             case Gui::SoSelectionElementAction::Remove:
diff --git a/src/Mod/Part/Gui/SoBrepPointSet.h b/src/Mod/Part/Gui/SoBrepPointSet.h
index f83a4a261777..91dbe233cb7d 100644
--- a/src/Mod/Part/Gui/SoBrepPointSet.h
+++ b/src/Mod/Part/Gui/SoBrepPointSet.h
@@ -33,6 +33,7 @@
 #include <Inventor/elements/SoReplacedElement.h>
 #include <vector>
 
+class SoCoordinateElement;
 class SoGLCoordinateElement;
 class SoTextureCoordinateBundle;
 
@@ -62,6 +63,7 @@ class PartGuiExport SoBrepPointSet : public SoPointSet {
                      int num_vertexindices);
     void renderHighlight(SoGLRenderAction *action);
     void renderSelection(SoGLRenderAction *action);
+    bool validIndexes(const SoCoordinateElement*, int32_t, const int32_t *, int) const;
 
 private:
     SbColor selectionColor;