All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002823FSSCPpublic2013-03-26 10:182013-03-26 11:10
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.6.19 
Target Version3.7.0 
Summary0002823: ERROR: AddressSanitizer: global-buffer-overflow in hud_escort_ship_hit() hudescort.cpp:976
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9604.

#0 0x100d46c43 in hud_escort_ship_hit hudescort.cpp:976
    0000001 0x100b737d1 in hud_shield_quadrant_hit hudshield.cpp:532
    0000002 0x101ab14e1 in ship_weapon_do_hit_stuff collideshipweapon.cpp:97
    0000003 0x101ab6562 in ship_weapon_check_collision collideshipweapon.cpp:292
    0000004 0x101ab84b0 in collide_ship_weapon collideshipweapon.cpp:364
    0000005 0x101a8c6f1 in obj_collide_pair objcollide.cpp:1626
    0000006 0x101a846f0 in obj_find_overlap_colliders objcollide.cpp:1246
    0000007 0x101a80ce7 in obj_sort_and_collide objcollide.cpp:1211
    0000008 0x101a5f62b in obj_move_all object.cpp:1515
    0000009 0x1002ea15d in game_simulation_frame freespace.cpp:3987
    0000010 0x1002eedb1 in game_frame freespace.cpp:4380
    #11 0x1002f459b in game_do_frame freespace.cpp:4791
    0000012 0x1003000fa in game_do_state freespace.cpp:6466
    0000013 0x1008f1a59 in gameseq_process_events gamesequence.cpp:405
    0000014 0x100306978 in game_main freespace.cpp:7033
    0000015 0x100307fe6 in SDL_main freespace.cpp:7167
    ...


void hud_escort_ship_hit(object *objp, int quadrant)
{
    int num, i;
    shield_hit_info *shi;

    // no ships on the escort list in multiplayer dogfight
    if(MULTI_DOGFIGHT){
        return;
    }

    for ( i = 0; i < Num_escort_ships; i++ ) {
        if ( Escort_ships[i].objnum == OBJ_INDEX(objp) ) {
            shi = &Escort_ships[i].hit_info;
            num = Quadrant_xlate[quadrant]; <============
            hud_gauge_popup_start(HUD_ESCORT_VIEW);
            if ( quadrant >= 0 ) {
                shi->shield_hit_timers[num] = timestamp(SHIELD_HIT_DURATION);
            } else {
                shi->shield_hit_timers[HULL_HIT_OFFSET] = timestamp(SHIELD_HIT_DURATION);
            }
        }
    }
}
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer [^] [^] [^]).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, progress to flight in mission 1 "Surrender, Belisarious", wait for the transport to be hit by enemy fire
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x0001032b5d9f at pc 0x100d46c44 bp 0x7fff5fbf91f0 sp 0x7fff5fbf91e8
READ of size 1 at 0x0001032b5d9f thread T0
    #0 0x100d46c43 in hud_escort_ship_hit hudescort.cpp:976
    0000001 0x100b737d1 in hud_shield_quadrant_hit hudshield.cpp:532
    0000002 0x101ab14e1 in ship_weapon_do_hit_stuff collideshipweapon.cpp:97
    0000003 0x101ab6562 in ship_weapon_check_collision collideshipweapon.cpp:292
    0000004 0x101ab84b0 in collide_ship_weapon collideshipweapon.cpp:364
    0000005 0x101a8c6f1 in obj_collide_pair objcollide.cpp:1626
    0000006 0x101a846f0 in obj_find_overlap_colliders objcollide.cpp:1246
    0000007 0x101a80ce7 in obj_sort_and_collide objcollide.cpp:1211
    0000008 0x101a5f62b in obj_move_all object.cpp:1515
    0000009 0x1002ea15d in game_simulation_frame freespace.cpp:3987
    0000010 0x1002eedb1 in game_frame freespace.cpp:4380
    #11 0x1002f459b in game_do_frame freespace.cpp:4791
    0000012 0x1003000fa in game_do_state freespace.cpp:6466
    0000013 0x1008f1a59 in gameseq_process_events gamesequence.cpp:405
    0000014 0x100306978 in game_main freespace.cpp:7033
    0000015 0x100307fe6 in SDL_main freespace.cpp:7167
    0000016 0x10000295a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000017 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000018 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000019 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000020 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000021 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000022 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000023 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000024 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000025 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000026 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000027 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317
    0000028 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000029 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455
    0000030 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000031 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516
    0000032 0x100004a73 in CustomApplicationMain SDLMain.m:227
    0000033 0x1000044f0 in main SDLMain.m:377
    0000034 0x1000016c3 in start (in FS2_Open (debug)) + 51
    0000035 0x0 in 0x0
0x0001032b5d9f is located 1 bytes to the left of global variable 'Quadrant_xlate' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/hud/hudshield.cpp' (0x1032b5da0) of size 4
0x0001032b5d9f is located 47 bytes to the right of global variable 'Hud_mini_base' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/hud/hudshield.cpp' (0x1032b5d60) of size 16
Shadow bytes around the buggy address:
  0x100020656b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
  0x100020656b90: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
  0x100020656ba0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 f9 f9
=>0x100020656bb0: f9 f9 f9[f9]04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x100020656bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020656c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==58692==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-03-26 11:10

developer   ~0014846

Fix committed to trunk@9607.

Related Changesets

fs2open: trunk r9607

2013-03-26 07:56

Echelon9


Ported: N/A

Details Diff		 Fix for Mantis 2823: AddressSanitizer: global-buffer-overflow in hud_escort_ship_hit() Affected Issues
0002823
mod - /trunk/fs2_open/code/hud/hudescort.cpp Diff File

Issue History

Date Modified Username Field Change
2013-03-26 10:18 Echelon9 New Issue
2013-03-26 10:18 Echelon9 Status new => assigned
2013-03-26 10:18 Echelon9 Assigned To => Echelon9
2013-03-26 11:10 Echelon9 Changeset attached => fs2open trunk r9607
2013-03-26 11:10 Echelon9 Note Added: 0014846
2013-03-26 11:10 Echelon9 Status assigned => resolved
2013-03-26 11:10 Echelon9 Resolution open => fixed