You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It crashes after some time if files contain very long names.
Recursive structures are not allowed in VRML, and they should not appear in the wild. However, FreeCAD shouldn't just crash either. Same for long names.
Additional information
running 0.16 on Windows 7
Steps to reproduce
load one of the attached files with "crash" prefix
crash immediately
OR
click Open File
select the file with "corrupts memory" prefix
Open
file seems to load file
click Open File again
FreeCAD crashes a fraction of a second after that (which indicates a memory corruption)
Other bug information
Priority: normal
Severity: minor
Category: General
Updated: 2/6/2021
Discussion from Mantis ticket
Comment by Krishty 2017-06-05 01:10
same crashes with VRML 1 recursive structures & VRML 1 long name
2. It crashes after some time if files contain very long names.
That's a bug in the Coin library. Inside the class SbName the function find_string_address is called (over several steps) and this raises an assert if the string is longer than 65004 characters. Many systems already crash there (when Coin was built with the debug option). On Windows in release mode it crashes at a later point because the internal string buffer seems to be corrupted.
Does the VRML standard say anything about the maximum length of a name?
I recommend aborting after 50 B if you’re strict or after 127 B if you want to avoid problems with 3rd party libraries.
Comment by wmayer 2017-06-11 12:46
Thanks for the link.
I recommend aborting after 50 B if you’re strict or after 127 B if you want to avoid problems with 3rd party libraries.
Currently we rely on Coin's VRML importer here. So as a workaround we must implement our own parser that verifies the DEF's of a VRML file.
Comment by Krishty 2017-06-11 13:01
Yes, a separate verification pass would also solve the recursive DEF/USE crash. However, given that VRML 1 & 2 are vastly different in grammar and the bug exists in both versions, that’s probably TWO parsers to be written.
It should definitely be reported to the COIN maintainers and they need to fix that.
Comment by wmayer 2017-06-11 14:49
I pushed a fix a405b4d the solves the crash when loading the file crash - recursive USE.wrl Having this function inside FreeCAD makes sense because cyclic graphs can also happen outside the scope of reading in a file.
The fix doesn't prevent FreeCAD from crashing when reading in crash - recursive PROTO.wrl because there is already a stack overflow during the read process.
Btw, MeshLab handles the cases with recursive PROTO and too long names but crashes with recursive USE. Blender handles all three cases.
Comment by Krishty 2017-06-11 18:09
Btw, MeshLab handles the cases with recursive PROTO and too long names but crashes with recursive USE. Blender handles all three cases.
Good thing to know! I don’t actually use FreeCAD, I was just fuzz-testing my own VRML implementation and wondered how other software suites do (considering we live in the age of exploits). It’s just fair to give other developers every chance to improve their software, so I reported the crashes outright. You should report them to MeshLab as well; use my test files at will.
The text was updated successfully, but these errors were encountered:
Issue imported from https://tracker.freecad.org/view.php?id=3070
Original report text
Recursive structures are not allowed in VRML, and they should not appear in the wild. However, FreeCAD shouldn't just crash either. Same for long names.
Additional information
running 0.16 on Windows 7
Steps to reproduce
OR
Other bug information
Discussion from Mantis ticket
Comment by Krishty 2017-06-05 01:10
same crashes with VRML 1 recursive structures & VRML 1 long name
Comment by Kunda1 2017-06-10 11:35
Discussion thread: https://forum.freecadweb.org/viewtopic.php?f=8&t=22875
Comment by wmayer 2017-06-11 12:16
2. It crashes after some time if files contain very long names. That's a bug in the Coin library. Inside the class SbName the function find_string_address is called (over several steps) and this raises an assert if the string is longer than 65004 characters. Many systems already crash there (when Coin was built with the debug option). On Windows in release mode it crashes at a later point because the internal string buffer seems to be corrupted.Does the VRML standard say anything about the maximum length of a name?
Comment by Krishty 2017-06-11 12:33
The VRML 2 standard defines a limit of 50 Bytes per name:
http://tecfa.unige.ch/guides/vrml/vrml97/spec/part1/conformance.html#7.3.3
VRML 1 standard does not mention anything.
I recommend aborting after 50 B if you’re strict or after 127 B if you want to avoid problems with 3rd party libraries.
Comment by wmayer 2017-06-11 12:46
Thanks for the link.
Currently we rely on Coin's VRML importer here. So as a workaround we must implement our own parser that verifies the DEF's of a VRML file.
Comment by Krishty 2017-06-11 13:01
Yes, a separate verification pass would also solve the recursive DEF/USE crash. However, given that VRML 1 & 2 are vastly different in grammar and the bug exists in both versions, that’s probably TWO parsers to be written.
It should definitely be reported to the COIN maintainers and they need to fix that.
Comment by wmayer 2017-06-11 14:49
I pushed a fix a405b4d the solves the crash when loading the file crash - recursive USE.wrl Having this function inside FreeCAD makes sense because cyclic graphs can also happen outside the scope of reading in a file.
The fix doesn't prevent FreeCAD from crashing when reading in crash - recursive PROTO.wrl because there is already a stack overflow during the read process.
Btw, MeshLab handles the cases with recursive PROTO and too long names but crashes with recursive USE. Blender handles all three cases.
Comment by Krishty 2017-06-11 18:09
Good thing to know! I don’t actually use FreeCAD, I was just fuzz-testing my own VRML implementation and wondered how other software suites do (considering we live in the age of exploits). It’s just fair to give other developers every chance to improve their software, so I reported the crashes outright. You should report them to MeshLab as well; use my test files at will.
The text was updated successfully, but these errors were encountered: