From c13de402807ef1720a9ab987b6b0efb6b1750167 Mon Sep 17 00:00:00 2001
From: msv <msv@opencascade.com>
Date: Wed, 1 Feb 2017 11:35:50 +0300
Subject: [PATCH] 0028327: BSplCLib can cause memory corruption in degenerated
 cases

The code of the methods BSplCLib::KnotForm and BSplCLib::MultForm has been made safe by giving up using of address of array item for iteration on the Array1. Also the checking for degenerated case has been added to prevent out of bounds exception.
---
 src/BSplCLib/BSplCLib.cxx | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/src/BSplCLib/BSplCLib.cxx b/src/BSplCLib/BSplCLib.cxx
index 3e4b68845c..00f1e1815b 100644
--- a/src/BSplCLib/BSplCLib.cxx
+++ b/src/BSplCLib/BSplCLib.cxx
@@ -583,12 +583,14 @@ BSplCLib_KnotDistribution BSplCLib::KnotForm
    Standard_Real DU0,DU1,Ui,Uj,Eps0,val;
    BSplCLib_KnotDistribution  KForm = BSplCLib_Uniform;
 
-   Standard_Integer KLower = Knots.Lower();
-   const Standard_Real * pkn = &Knots(KLower);
-   pkn -= KLower;
-   Ui  = pkn[FromK1];
+   if (FromK1 + 1 > Knots.Upper())
+   {
+     return BSplCLib_Uniform;
+   }
+
+   Ui  = Knots(FromK1);
    if (Ui < 0) Ui = - Ui;
-   Uj  = pkn[FromK1 + 1];
+   Uj  = Knots(FromK1 + 1);
    if (Uj < 0) Uj = - Uj;
    DU0 = Uj - Ui;
    if (DU0 < 0) DU0 = - DU0;
@@ -596,10 +598,10 @@ BSplCLib_KnotDistribution BSplCLib::KnotForm
    Standard_Integer i = FromK1 + 1;
 
    while (KForm != BSplCLib_NonUniform && i < ToK2) {
-     Ui = pkn[i];      
+     Ui = Knots(i);
      if (Ui < 0) Ui = - Ui;
      i++;
-     Uj = pkn[i];
+     Uj = Knots(i);
      if (Uj < 0) Uj = - Uj;
      DU1 = Uj - Ui;
      if (DU1 < 0) DU1 = - DU1;
@@ -631,13 +633,15 @@ BSplCLib_MultDistribution BSplCLib::MultForm
     First = ToK2;
     Last  = FromK1;
   }
-  Standard_Integer MLower = Mults.Lower();
-  const Standard_Integer *pmu = &Mults(MLower);
-  pmu -= MLower;
-  Standard_Integer FirstMult = pmu[First];
+  if (First + 1 > Mults.Upper())
+  {
+    return BSplCLib_Constant;
+  }
+
+  Standard_Integer FirstMult = Mults(First);
   BSplCLib_MultDistribution MForm = BSplCLib_Constant;
   Standard_Integer i    = First + 1;
-  Standard_Integer Mult = pmu[i];
+  Standard_Integer Mult = Mults(i);
   
 //  while (MForm != BSplCLib_NonUniform && i <= Last) { ???????????JR????????
   while (MForm != BSplCLib_NonConstant && i <= Last) {
@@ -646,15 +650,15 @@ BSplCLib_MultDistribution BSplCLib::MultForm
     }
     else if (i == Last)  {
       if (MForm == BSplCLib_QuasiConstant) {
-	if (FirstMult != pmu[i])  MForm = BSplCLib_NonConstant;
+        if (FirstMult != Mults(i))  MForm = BSplCLib_NonConstant;
       }
       else {
-	if (Mult != pmu[i])       MForm = BSplCLib_NonConstant;
+        if (Mult != Mults(i))       MForm = BSplCLib_NonConstant;
       }
     }
     else {
-      if (Mult != pmu[i])         MForm = BSplCLib_NonConstant;
-      Mult = pmu[i];
+      if (Mult != Mults(i))         MForm = BSplCLib_NonConstant;
+      Mult = Mults(i);
     }
     i++;
   }