2020-08-13 04:03 EDT

View Revisions: Issue #2818

Summary 0002818: ERROR: AddressSanitizer: global-buffer-overflow in bm_is_valid() bmpman.cpp
Revision 2013-03-22 23:54 by Echelon9
Additional Information ==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103497a18 at pc 0x100726aa3 bp 0x7fff5fbf6230 sp 0x7fff5fbf6228
READ of size 4 at 0x000103497a18 thread T0
    #0 0x100726aa2 in bm_is_valid bmpman.cpp:1098
    0000001 0x10262cabe in l_Texture_isValid_f lua.cpp:3495
    0000002 0x102a7e6e1 in luaD_precall ldo.c:320
    0000003 0x102b6ad81 in luaV_execute lvm.c:591
    0000004 0x102a8454d in luaD_call ldo.c:378
    0000005 0x102a14760 in f_call lapi.c:800
    0000006 0x102a786e0 in luaD_rawrunprotected ldo.c:116
    0000007 0x102a87496 in luaD_pcall ldo.c:464
    0000008 0x102a140c5 in lua_pcall lapi.c:821
    0000009 0x1027f3a46 in script_state::RunBytecodeSub scripting.cpp:818
    0000010 0x1027ebdd2 in script_state::RunBytecode scripting.cpp:859
    #11 0x1027eb908 in ConditionedHook::Run scripting.cpp:465
    0000012 0x1027f4b82 in script_state::RunCondition scripting.cpp:870
    0000013 0x1002be03c in game_post_level_init freespace.cpp:1409
    0000014 0x1002befdc in game_start_mission freespace.cpp:1466
    0000015 0x1002fc477 in game_enter_state freespace.cpp:5934
    0000016 0x1008efb8e in gameseq_set_state gamesequence.cpp:280
    0000017 0x1002f7162 in game_process_event freespace.cpp:5105
    0000018 0x1008f13df in gameseq_process_events gamesequence.cpp:395
    0000019 0x100306528 in game_main freespace.cpp:7045
    0000020 0x100307b96 in SDL_main freespace.cpp:7179
    0000021 0x10000335a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000022 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000023 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000024 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000025 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000026 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000027 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000028 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000029 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000030 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000031 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000032 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317
    0000033 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000034 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455
    0000035 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000036 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516
    0000037 0x100005473 in CustomApplicationMain SDLMain.m:227
    0000038 0x100004ef0 in main SDLMain.m:377
    0000039 0x1000020c3 in start (in FS2_Open (debug)) + 51
    0000040 0x0 in 0x0
0x000103497a18 is located 8 bytes to the left of global variable 'AutopilotMinAsteroidDistance' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/autopilot/autopilot.cpp' (0x103497a20) of size 4
0x000103497a18 is located 52 bytes to the right of global variable 'AutopilotMinEnemyDistance' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/autopilot/autopilot.cpp' (0x1034979e0) of size 4
Shadow bytes around the buggy address:
  0x100020692ef0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x100020692f00: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x100020692f10: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x100020692f20: 00 04 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x100020692f30: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x100020692f40: f9 f9 f9[f9]04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x100020692f50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==14313==ABORTING
Revision 2013-03-22 23:52 by Echelon9
Additional Information ==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103497a18 at pc 0x100726aa3 bp 0x7fff5fbf6230 sp 0x7fff5fbf6228
READ of size 4 at 0x000103497a18 thread T0
    #0 0x100726aa2 in bm_is_valid bmpman.cpp:1098
    0000001 0x10262cabe in l_Texture_isValid_f lua.cpp:3495
    0000002 0x102a7e6e1 in luaD_precall ldo.c:320
    0000003 0x102b6ad81 in luaV_execute lvm.c:591
    0000004 0x102a8454d in luaD_call ldo.c:378
    0000005 0x102a14760 in f_call lapi.c:800
    0000006 0x102a786e0 in luaD_rawrunprotected ldo.c:116
    0000007 0x102a87496 in luaD_pcall ldo.c:464
    0000008 0x102a140c5 in lua_pcall lapi.c:821
    0000009 0x1027f3a46 in script_state::RunBytecodeSub scripting.cpp:818
    0000010 0x1027ebdd2 in script_state::RunBytecode scripting.cpp:859
    #11 0x1027eb908 in ConditionedHook::Run scripting.cpp:465
    0000012 0x1027f4b82 in script_state::RunCondition scripting.cpp:870
    0000013 0x1002be03c in game_post_level_init freespace.cpp:1409
    0000014 0x1002befdc in game_start_mission freespace.cpp:1466
    0000015 0x1002fc477 in game_enter_state freespace.cpp:5934
    0000016 0x1008efb8e in gameseq_set_state gamesequence.cpp:280
    0000017 0x1002f7162 in game_process_event freespace.cpp:5105
    0000018 0x1008f13df in gameseq_process_events gamesequence.cpp:395
    0000019 0x100306528 in game_main freespace.cpp:7045
    0000020 0x100307b96 in SDL_main freespace.cpp:7179
    0000021 0x10000335a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000022 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000023 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000024 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000025 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000026 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000027 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000028 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000029 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000030 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000031 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000032 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317
    0000033 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000034 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455
    0000035 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000036 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516
    0000037 0x100005473 in CustomApplicationMain SDLMain.m:227
    0000038 0x100004ef0 in main SDLMain.m:377
    0000039 0x1000020c3 in start (in FS2_Open (debug)) + 51
    0000040 0x0 in 0x0
0x000103497a18 is located 8 bytes to the left of global variable 'AutopilotMinAsteroidDistance' from '/Users/rhyskidd/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode4/../../code/autopilot/autopilot.cpp' (0x103497a20) of size 4
0x000103497a18 is located 52 bytes to the right of global variable 'AutopilotMinEnemyDistance' from '/Users/rhyskidd/Documents/Coding/fs2open/trunk/fs2_open/projects/Xcode4/../../code/autopilot/autopilot.cpp' (0x1034979e0) of size 4
Shadow bytes around the buggy address:
  0x100020692ef0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x100020692f00: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x100020692f10: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x100020692f20: 00 04 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x100020692f30: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x100020692f40: f9 f9 f9[f9]04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x100020692f50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020692f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==14313==ABORTING