All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002821FSSCPpublic2013-03-24 03:052013-04-22 11:25
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.6.19 
Target Version3.7.0 
Summary0002821: AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9596.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049ae56c at pc 0x10215645b bp 0x7fff5fbf5050 sp 0x7fff5fbf5048
READ of size 4 at 0x0001049ae56c thread T0
    #0 0x10215645a in ship_get_secondary_weapon_range ship.cpp:15206
    0000001 0x101e65127 in player_farthest_weapon_range playercontrol.cpp:1629
    0000002 0x101e9baaf in radar_plot_object radarsetup.cpp:260
    0000003 0x1020ba153 in ship_process_post ship.cpp:8222
    0000004 0x101a5943a in obj_move_all_post object.cpp:1226
    0000005 0x101a5d562 in obj_move_all object.cpp:1445
    0000006 0x1002ea0bd in game_simulation_frame freespace.cpp:3987
    0000007 0x1002eed11 in game_frame freespace.cpp:4380
    0000008 0x1002f44fb in game_do_frame freespace.cpp:4791
    0000009 0x10030005a in game_do_state freespace.cpp:6466
    0000010 0x1008f19b9 in gameseq_process_events gamesequence.cpp:405
    #11 0x1003068d8 in game_main freespace.cpp:7033
    0000012 0x100307f46 in SDL_main freespace.cpp:7167
    ...

// Return the range of the currently selected secondary weapon
// NOTE: If there is no missiles left in the current bank, range returned is 0
float ship_get_secondary_weapon_range(ship *shipp)
{
    float srange=0.0f;

    ship_weapon *swp;
    swp = &shipp->weapons;
    if ( swp->current_secondary_bank >= 0 ) {
        weapon_info *wip;
        int bank=swp->current_secondary_bank;
        wip = &Weapon_info[swp->secondary_bank_weapons[bank]];
        if ( swp->secondary_bank_ammo[bank] > 0 ) {
            srange = wip->max_speed * wip->lifetime; <=============
        }
    }

    return srange;
}
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, progress to flight in training mission 1
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049ae56c at pc 0x10215645b bp 0x7fff5fbf5050 sp 0x7fff5fbf5048
READ of size 4 at 0x0001049ae56c thread T0
    #0 0x10215645a in ship_get_secondary_weapon_range ship.cpp:15206
    0000001 0x101e65127 in player_farthest_weapon_range playercontrol.cpp:1629
    0000002 0x101e9baaf in radar_plot_object radarsetup.cpp:260
    0000003 0x1020ba153 in ship_process_post ship.cpp:8222
    0000004 0x101a5943a in obj_move_all_post object.cpp:1226
    0000005 0x101a5d562 in obj_move_all object.cpp:1445
    0000006 0x1002ea0bd in game_simulation_frame freespace.cpp:3987
    0000007 0x1002eed11 in game_frame freespace.cpp:4380
    0000008 0x1002f44fb in game_do_frame freespace.cpp:4791
    0000009 0x10030005a in game_do_state freespace.cpp:6466
    0000010 0x1008f19b9 in gameseq_process_events gamesequence.cpp:405
    #11 0x1003068d8 in game_main freespace.cpp:7033
    0000012 0x100307f46 in SDL_main freespace.cpp:7167
    0000013 0x10000338a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000014 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000015 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000016 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000017 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000018 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000019 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000020 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000021 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000022 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000023 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000024 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317
    0000025 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000026 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455
    0000027 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000028 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516
    0000029 0x1000054a3 in CustomApplicationMain SDLMain.m:227
    0000030 0x100004f20 in main SDLMain.m:377
    0000031 0x1000020f3 in start (in FS2_Open (debug)) + 51
    0000032 0x0 in 0x0
0x0001049ae56c is located 258764 bytes to the right of global variable 'Weapons' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x1048270a0) of size 1344000
Shadow bytes around the buggy address:
  0x100020935c50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935c60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935c70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935c90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x100020935ca0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9
  0x100020935cb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935cc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935cd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935ce0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935cf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==43723==ABORTING
TagsNo tags attached.

Relationships

related to 0002834 resolvedEchelon9 AddressSanitizer: global-buffer-overflow in get_max_ammo_count_for_bank() ship.cpp:15249 

Activities

Echelon9

2013-04-15 14:21

developer  

fix-for-mantis-2821-ship_get_secondary_weapon_range.patch (1,259 bytes)    
Index: code/ship/ship.cpp
===================================================================
--- code/ship/ship.cpp	(revision 9630)
+++ code/ship/ship.cpp	(working copy)
@@ -15200,8 +15200,13 @@
 	// don't log that the cargo was hidden and don't reset the time cargo revealed
 }
 
-// Return the range of the currently selected secondary weapon
-// NOTE: If there is no missiles left in the current bank, range returned is 0
+/**
+ * Return the range of the currently selected secondary weapon
+ *
+ * NOTE: If there is no missiles left in the current bank, range returned is 0
+ *
+ * @param shipp Pointer to ship from which currently selected secondary weapon will be ranged
+ */
 float ship_get_secondary_weapon_range(ship *shipp)
 {
 	float srange=0.0f;
@@ -15211,9 +15216,11 @@
 	if ( swp->current_secondary_bank >= 0 ) {
 		weapon_info	*wip;
 		int bank=swp->current_secondary_bank;
-		wip = &Weapon_info[swp->secondary_bank_weapons[bank]];
-		if ( swp->secondary_bank_ammo[bank] > 0 ) {
-			srange = wip->max_speed * wip->lifetime;
+		if (swp->secondary_bank_weapons[bank] >= 0) {
+			wip = &Weapon_info[swp->secondary_bank_weapons[bank]];
+			if ( swp->secondary_bank_ammo[bank] > 0 ) {
+				srange = wip->max_speed * wip->lifetime;
+			}
 		}
 	}
fix-for-mantis-2821-ship_get_secondary_weapon_range.patch (1,259 bytes)   

Echelon9

2013-04-15 14:22

developer   ~0014927

Patch attached. Ready for code review.

niffiwan

2013-04-22 06:13

developer   ~0014948

looks good to me

Echelon9

2013-04-22 11:25

developer   ~0014952

Fix committed to trunk@9646.

Related Changesets

fs2open: trunk r9646

2013-04-22 08:16

Echelon9


Ported: N/A

Details Diff		 Fix for Mantis 2821: AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() Affected Issues
0002821
mod - /trunk/fs2_open/code/ship/ship.cpp Diff File

Issue History

Date Modified Username Field Change
2013-03-24 03:05 Echelon9 New Issue
2013-03-26 11:22 Echelon9 Summary ERROR: AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206 => AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206
2013-03-26 11:22 Echelon9 Steps to Reproduce Updated
2013-04-03 12:15 Echelon9 Relationship added related to 0002834
2013-04-13 12:48 Echelon9 Assigned To => Echelon9
2013-04-13 12:48 Echelon9 Status new => assigned
2013-04-15 14:21 Echelon9 File Added: fix-for-mantis-2821-ship_get_secondary_weapon_range.patch
2013-04-15 14:22 Echelon9 Note Added: 0014927
2013-04-15 14:22 Echelon9 Assigned To Echelon9 => chief1983
2013-04-15 14:22 Echelon9 Status assigned => code review
2013-04-22 06:13 niffiwan Note Added: 0014948
2013-04-22 11:24 Echelon9 Assigned To chief1983 => Echelon9
2013-04-22 11:24 Echelon9 Status code review => assigned
2013-04-22 11:25 Echelon9 Changeset attached => fs2open trunk r9646
2013-04-22 11:25 Echelon9 Note Added: 0014952
2013-04-22 11:25 Echelon9 Status assigned => resolved
2013-04-22 11:25 Echelon9 Resolution open => fixed