vtkCellLinks::BuildLinks can overflow and leads to heap corruption.
vtkCellLinks::BuildLinks uses an unsigned short array (linkLoc) to count references to a single point. This can overflow without warning in the case of 'strange' (but entirely valid) vtkPolyData. An example would be a hub / spoke geometry with many lines connected to one point. If there are more than 65535 cells connected to the one point,
- the initial counts overflow unsigned short
- the subsequent allocation is too small
- the cells array overflows.
Fix suggestions: Either:
- promote the array (and the Link.ncells member and associated return values) to a larger unsigned type (or vtkIdType?).
- Detect the overflow when the counts are created and bail out.
Maybe this is related to Bug #17247 (closed).