View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002821 | FSSCP | public | 2013-03-24 03:05 | 2013-04-22 11:25 | |
Reporter | Echelon9 | Assigned To | Echelon9 | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 3.6.19 | ||||
Target Version | 3.7.0 | ||||
Summary | 0002821: AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206 | ||||
Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9596. ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049ae56c at pc 0x10215645b bp 0x7fff5fbf5050 sp 0x7fff5fbf5048 READ of size 4 at 0x0001049ae56c thread T0 #0 0x10215645a in ship_get_secondary_weapon_range ship.cpp:15206 0000001 0x101e65127 in player_farthest_weapon_range playercontrol.cpp:1629 0000002 0x101e9baaf in radar_plot_object radarsetup.cpp:260 0000003 0x1020ba153 in ship_process_post ship.cpp:8222 0000004 0x101a5943a in obj_move_all_post object.cpp:1226 0000005 0x101a5d562 in obj_move_all object.cpp:1445 0000006 0x1002ea0bd in game_simulation_frame freespace.cpp:3987 0000007 0x1002eed11 in game_frame freespace.cpp:4380 0000008 0x1002f44fb in game_do_frame freespace.cpp:4791 0000009 0x10030005a in game_do_state freespace.cpp:6466 0000010 0x1008f19b9 in gameseq_process_events gamesequence.cpp:405 #11 0x1003068d8 in game_main freespace.cpp:7033 0000012 0x100307f46 in SDL_main freespace.cpp:7167 ... // Return the range of the currently selected secondary weapon // NOTE: If there is no missiles left in the current bank, range returned is 0 float ship_get_secondary_weapon_range(ship *shipp) { float srange=0.0f; ship_weapon *swp; swp = &shipp->weapons; if ( swp->current_secondary_bank >= 0 ) { weapon_info *wip; int bank=swp->current_secondary_bank; wip = &Weapon_info[swp->secondary_bank_weapons[bank]]; if ( swp->secondary_bank_ammo[bank] > 0 ) { srange = wip->max_speed * wip->lifetime; <============= } } return srange; } | ||||
Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, progress to flight in training mission 1 | ||||
Additional Information | ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049ae56c at pc 0x10215645b bp 0x7fff5fbf5050 sp 0x7fff5fbf5048 READ of size 4 at 0x0001049ae56c thread T0 #0 0x10215645a in ship_get_secondary_weapon_range ship.cpp:15206 0000001 0x101e65127 in player_farthest_weapon_range playercontrol.cpp:1629 0000002 0x101e9baaf in radar_plot_object radarsetup.cpp:260 0000003 0x1020ba153 in ship_process_post ship.cpp:8222 0000004 0x101a5943a in obj_move_all_post object.cpp:1226 0000005 0x101a5d562 in obj_move_all object.cpp:1445 0000006 0x1002ea0bd in game_simulation_frame freespace.cpp:3987 0000007 0x1002eed11 in game_frame freespace.cpp:4380 0000008 0x1002f44fb in game_do_frame freespace.cpp:4791 0000009 0x10030005a in game_do_state freespace.cpp:6466 0000010 0x1008f19b9 in gameseq_process_events gamesequence.cpp:405 #11 0x1003068d8 in game_main freespace.cpp:7033 0000012 0x100307f46 in SDL_main freespace.cpp:7167 0000013 0x10000338a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000014 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000015 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000016 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000017 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000018 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000019 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000020 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000021 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000022 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306 0000023 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36 0000024 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317 0000025 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99 0000026 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455 0000027 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000028 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516 0000029 0x1000054a3 in CustomApplicationMain SDLMain.m:227 0000030 0x100004f20 in main SDLMain.m:377 0000031 0x1000020f3 in start (in FS2_Open (debug)) + 51 0000032 0x0 in 0x0 0x0001049ae56c is located 258764 bytes to the right of global variable 'Weapons' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x1048270a0) of size 1344000 Shadow bytes around the buggy address: 0x100020935c50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935c60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935c70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935c90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x100020935ca0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 0x100020935cb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935cc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935cd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935ce0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020935cf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==43723==ABORTING | ||||
Tags | No tags attached. | ||||
|
fix-for-mantis-2821-ship_get_secondary_weapon_range.patch (1,259 bytes)
Index: code/ship/ship.cpp =================================================================== --- code/ship/ship.cpp (revision 9630) +++ code/ship/ship.cpp (working copy) @@ -15200,8 +15200,13 @@ // don't log that the cargo was hidden and don't reset the time cargo revealed } -// Return the range of the currently selected secondary weapon -// NOTE: If there is no missiles left in the current bank, range returned is 0 +/** + * Return the range of the currently selected secondary weapon + * + * NOTE: If there is no missiles left in the current bank, range returned is 0 + * + * @param shipp Pointer to ship from which currently selected secondary weapon will be ranged + */ float ship_get_secondary_weapon_range(ship *shipp) { float srange=0.0f; @@ -15211,9 +15216,11 @@ if ( swp->current_secondary_bank >= 0 ) { weapon_info *wip; int bank=swp->current_secondary_bank; - wip = &Weapon_info[swp->secondary_bank_weapons[bank]]; - if ( swp->secondary_bank_ammo[bank] > 0 ) { - srange = wip->max_speed * wip->lifetime; + if (swp->secondary_bank_weapons[bank] >= 0) { + wip = &Weapon_info[swp->secondary_bank_weapons[bank]]; + if ( swp->secondary_bank_ammo[bank] > 0 ) { + srange = wip->max_speed * wip->lifetime; + } } } |
|
Patch attached. Ready for code review. |
|
looks good to me |
|
Fix committed to trunk@9646. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-03-24 03:05 | Echelon9 | New Issue | |
2013-03-26 11:22 | Echelon9 | Summary | ERROR: AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206 => AddressSanitizer: global-buffer-overflow in ship_get_secondary_weapon_range() ship.cpp:15206 |
2013-03-26 11:22 | Echelon9 | Steps to Reproduce Updated | |
2013-04-03 12:15 | Echelon9 | Relationship added | related to 0002834 |
2013-04-13 12:48 | Echelon9 | Assigned To | => Echelon9 |
2013-04-13 12:48 | Echelon9 | Status | new => assigned |
2013-04-15 14:21 | Echelon9 | File Added: fix-for-mantis-2821-ship_get_secondary_weapon_range.patch | |
2013-04-15 14:22 | Echelon9 | Note Added: 0014927 | |
2013-04-15 14:22 | Echelon9 | Assigned To | Echelon9 => chief1983 |
2013-04-15 14:22 | Echelon9 | Status | assigned => code review |
2013-04-22 06:13 | niffiwan | Note Added: 0014948 | |
2013-04-22 11:24 | Echelon9 | Assigned To | chief1983 => Echelon9 |
2013-04-22 11:24 | Echelon9 | Status | code review => assigned |
2013-04-22 11:25 | Echelon9 | Changeset attached | => fs2open trunk r9646 |
2013-04-22 11:25 | Echelon9 | Note Added: 0014952 | |
2013-04-22 11:25 | Echelon9 | Status | assigned => resolved |
2013-04-22 11:25 | Echelon9 | Resolution | open => fixed |