Skip to content

Fix conditional check in SkipSpaces function to prevent out-of-bound access #5770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Fix conditional check in SkipSpaces function to prevent out-of-bound access #5770

wants to merge 8 commits into from

Conversation

cla7aye15I4nd
Copy link
Contributor

Description:

This PR resolves a potential out-of-bound access issue in the SkipSpaces function within the ParsingUtils.h file. Previously, the condition that checked for whitespace (' ' or '\t') was evaluated before verifying whether the pointer in had reached the end. This could lead to dereferencing the pointer when it is already at the boundary, resulting in undefined behavior.

The update reorders the condition so that the boundary check in != end is evaluated before accessing the value of *in. This ensures the function operates safely when processing input up to the boundary.

Changes:

  • Modified SkipSpaces function to check for in != end before dereferencing *in.

@cla7aye15I4nd
Fix conditional check in SkipSpaces function to prevent out-of-bound …
5eea256 
…access.

The `SkipSpaces` function's condition was updated to ensure that the pointer check `in != end` is evaluated before dereferencing the pointer. This change prevents potential out-of-bound access when the input pointer reaches the end.
@cla7aye15I4nd
Avoid input is wrong
cdcd22f
JulianKnodt
JulianKnodt reviewed Sep 10, 2024
View reviewed changes
include/assimp/ParsingUtils.h Outdated
@@ -103,7 +103,7 @@ AI_FORCE_INLINE bool IsSpaceOrNewLine(char_t in) {
// ---------------------------------------------------------------------------------
template <class char_t>
AI_FORCE_INLINE bool SkipSpaces(const char_t *in, const char_t **out, const char_t *end) {
while ((*in == (char_t)' ' || *in == (char_t)'\t') && in != end) {
while (in >= end && (*in == (char_t)' ' || *in == (char_t)'\t')) {
Copy link
Contributor

@JulianKnodt JulianKnodt Sep 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be in < end?
This condition seems like it'll change the behavior of the loop.

Copy link
Contributor Author

@cla7aye15I4nd cla7aye15I4nd Sep 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, have updated and added more similar changes

@kimkulling
Copy link
Member

Do you have a testcase for validation? It would be really great to test this in a proper way. Let me know if you cannot generate one.

kimkulling
kimkulling approved these changes Sep 10, 2024
View reviewed changes
Copy link
Member

@kimkulling kimkulling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine. Any kind of testcase planned?

@cla7aye15I4nd
Copy link
Contributor Author

I do not have testcases

@turol
Copy link
Member

turol commented Sep 10, 2024

Looks like it hit an infinite loop. It timed out after 6 hours. The timeout could be reduced to avoid wasting CPU time.

@cla7aye15I4nd
Copy link
Contributor Author

I believe we may have found a new bug. I made the following change to the code:

template <class char_t>
AI_FORCE_INLINE bool SkipSpaces(const char_t *in, const char_t **out, const char_t *end) {
    if (in > end) {
        return false; // gdb stops here
    }
    while (in < end && (*in == (char_t)' ' || *in == (char_t)'\t')) {
        ++in;
    }

After running /bin/unit, I noticed that GDB stops at the line marked with a comment. I'm not entirely sure if this is the expected behavior. If it isn't, this could indicate an issue that needs to be addressed.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

@tellypresence
Copy link
Collaborator

@cla7aye15I4nd Please resolve conflicts so PR remains viable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JulianKnodt JulianKnodt JulianKnodt left review comments

@kimkulling kimkulling kimkulling approved these changes

Assignees
No one assigned
Labels
None yet
Projects
The Asset-Importer-Lib DevOps Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cla7aye15I4nd @kimkulling @turol @tellypresence @JulianKnodt