View Issue Details

IDProjectCategoryView StatusLast Update
0002953FSSCPpublic2021-01-10 01:40
ReporterEchelon9 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionsuspended 
Product Version3.7.1 
Summary0002953: AddressSanitizer: stack-buffer-overflow in ade_set_args()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10041.

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5fbfd320 at pc 0x1028940c0 bp 0x7fff5fbfcb10 sp 0x7fff5fbfcb08
READ of size 4 at 0x7fff5fbfd320 thread T0
    #0 0x1028940bf in ade_set_args lua.cpp:15069
    0000001 0x1028971e6 in script_state::CreateLuaState lua.cpp:14631
    0000002 0x10292a63b in script_init scripting.cpp:187
    0000003 0x10014a1c6 in game_init freespace.cpp:1853
    0000004 0x10018b11b in game_main freespace.cpp:6995
    0000005 0x10018cdc6 in SDL_main freespace.cpp:7186
    ...


int ade_set_args(lua_State *L, char *fmt, ...)
{
    //Start throught
    va_list vl;
    int nargs;
    int setargs; //args actually set

    va_start(vl, fmt);
    nargs = 0;
    setargs = 0;
    while(*fmt != '\0')
    {
        switch(*fmt++)
        {
                        ...
            case 'o':
                {
                    //WMC - char must be 1 byte, foo.
                    Assert(sizeof(char)==1);
                    //WMC - step by step
                    //Copy over objectdata
                    ade_odata od = (ade_odata) va_arg(vl, ade_odata);

                    //Create new LUA object and get handle
                    char *newod = (char*)lua_newuserdata(L, od.size + sizeof(ODATA_SIG_TYPE));
                    //Create or get object metatable
                    luaL_getmetatable(L, Ade_table_entries[od.idx].Name);
                    //Set the metatable for the object
                    lua_setmetatable(L, -2);

                    //Copy the actual object data to the Lua object
                    memcpy(newod, od.buf, od.size);

                    //Also copy in the unique sig
                    if(od.sig != NULL)
                        memcpy(newod + od.size, od.sig, sizeof(ODATA_SIG_TYPE)); <================
                    else
                    {
                        ODATA_SIG_TYPE tempsig = ODATA_SIG_DEFAULT;
                        memcpy(newod + od.size, &tempsig, sizeof(ODATA_SIG_TYPE));
                    }
                    break;
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, error reported during startup.
Additional InformationERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5fbfd320 at pc 0x1028940c0 bp 0x7fff5fbfcb10 sp 0x7fff5fbfcb08
READ of size 4 at 0x7fff5fbfd320 thread T0
    #0 0x1028940bf in ade_set_args lua.cpp:15069
    0000001 0x1028971e6 in script_state::CreateLuaState lua.cpp:14631
    0000002 0x10292a63b in script_init scripting.cpp:187
    0000003 0x10014a1c6 in game_init freespace.cpp:1853
    0000004 0x10018b11b in game_main freespace.cpp:6995
    0000005 0x10018cdc6 in SDL_main freespace.cpp:7186
    0000006 0x100003401 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000007 0x7fff8fb26fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000008 0x7fff8fa1ac5c in _CFXNotificationPost (in CoreFoundation) + 2892
    0000009 0x7fff8b4ea4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000010 0x7fff8e920b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    #11 0x7fff8e9208ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000012 0x7fff8e91d795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000013 0x7fff8e91d1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000014 0x7fff8b508ea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000015 0x7fff8b508d1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000016 0x7fff8f743e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000017 0x7fff8f743c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000018 0x7fff8f743b35 in aeProcessAppleEvent (in AE) + 314
    0000019 0x7fff8c32c5f0 in AEProcessAppleEvent (in HIToolbox) + 55
    0000020 0x7fff8e9190f5 in _DPSNextEvent (in AppKit) + 1025
    0000021 0x7fff8e9188da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000022 0x7fff8e90c9cb in -[NSApplication run] (in AppKit) + 552
    0000023 0x1000054f1 in CustomApplicationMain SDLMain.m:227
    0000024 0x100004fca in main SDLMain.m:377
    0000025 0x100001f93 in start (in FS2_Open (debug)) + 51
    0000026 0x0 in 0x0

Address 0x7fff5fbfd320 is located in stack of thread T0 at offset 576 in frame
    #0 0x102891f0f in ade_set_args lua.cpp:15011

  This frame has 9 object(short):
    [32, 40) 'L.addr'
    [96, 104) 'fmt.addr'
    [160, 184) 'vl'
    [224, 228) 'nargs'
    [288, 292) 'setargs'
    [352, 360) 'short'
    [416, 448) 'od'
    [480, 488) 'newod'
    [544, 548) 'tempsig' <== Memory access at offset 576 overflows this variable
HINT: this may be signed char false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x1fffebf7fa10: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1fffebf7fa20: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x1fffebf7fa30: 00 00 00 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
  0x1fffebf7fa40: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x1fffebf7fa50: 00 00 00 00 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
=>0x1fffebf7fa60: 04 f4 f4 f4[f3]f3 f3 f3 00 00 00 00 00 00 00 00
  0x1fffebf7fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffebf7fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffebf7fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffebf7faa0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
  0x1fffebf7fab0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==82223==ABORTING
TagsNo tags attached.

Activities

MjnMixael

2021-01-10 01:40

manager   ~0017097

Migrated to GitHub.

Issue History

Date Modified Username Field Change
2013-11-16 04:59 Echelon9 New Issue
2013-11-20 08:32 Echelon9 Assigned To => Echelon9
2013-11-20 08:32 Echelon9 Status new => assigned
2015-04-16 04:24 Goober5000 Target Version 3.7.2 =>
2021-01-10 01:40 MjnMixael Assigned To Echelon9 =>
2021-01-10 01:40 MjnMixael Status assigned => closed
2021-01-10 01:40 MjnMixael Resolution open => suspended
2021-01-10 01:40 MjnMixael Note Added: 0017097