View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002833 | FSSCP | public | 2013-04-03 12:04 | 2013-04-29 12:03 | |
Reporter | Echelon9 | Assigned To | Echelon9 | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 3.6.19 | ||||
Target Version | 3.7.0 | ||||
Summary | 0002833: AddressSanitizer: heap-buffer-overflow in get_char_width() font.cpp:99 | ||||
Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9617. ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700001e61d at pc 0x10095d79c bp 0x7fff5fbfa050 sp 0x7fff5fbfa048 READ of size 1 at 0x61700001e61d thread T0 #0 0x10095d79b in get_char_width font.cpp:99 0000001 0x100960f37 in gr_get_string_size font.cpp:220 0000002 0x100862c06 in gr_get_string_size 2d.h:578 0000003 0x101dd3505 in split_str parselo.cpp:3364 0000004 0x10087159f in split_str parselo.h:202 0000005 0x101e8551f in popup_split_lines popup.cpp:377 0000006 0x101e8b52b in popup_init popup.cpp:544 0000007 0x101e9257f in popup_do popup.cpp:817 0000008 0x101e969b1 in popup popup.cpp:1013 0000009 0x100e037d5 in game_do_end_mission_popup keycontrol.cpp:1395 0000010 0x100e06967 in game_process_keys keycontrol.cpp:1610 #11 0x1002eec02 in game_frame freespace.cpp:4357 0000012 0x1002f473b in game_do_frame freespace.cpp:4791 0000013 0x10030029a in game_do_state freespace.cpp:6466 0000014 0x1008f1b89 in gameseq_process_events gamesequence.cpp:405 0000015 0x100306b18 in game_main freespace.cpp:7033 0000016 0x100308186 in SDL_main freespace.cpp:7167 ... 0x61700001e61d is located 0 bytes to the right of 669-byte region [0x61700001e380,0x61700001e61d) allocated by thread T0 here: #0 0x1054946d3 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 51 0000001 0x1025b560f in _vm_malloc stubs.cpp:571 0000002 0x100964c51 in gr_create_font font.cpp:416 0000003 0x10096a1a9 in parse_fonts_tbl font.cpp:579 0000004 0x10096a598 in gr_font_init font.cpp:601 0000005 0x1002c74d2 in game_init freespace.cpp:1852 0000006 0x1003065db in game_main freespace.cpp:6976 0000007 0x100308186 in SDL_main freespace.cpp:7167 /** * Takes the character BEFORE being offset into current font * @return the letter code */ int get_char_width(ubyte c1,ubyte c2,int *width,int *spacing) { int i, letter; Assert ( Current_font != NULL ); letter = c1-Current_font->first_ascii; if (letter<0 || letter>=Current_font->num_chars) { //not in font, draw as space *width=0; *spacing = Current_font->w; return -1; } *width = Current_font->char_data[letter].byte_width; *spacing = Current_font->char_data[letter].spacing; i = Current_font->char_data[letter].kerning_entry; if ( i > -1) { if (!(c2==0 || c2=='\n')) { int letter2; letter2 = c2-Current_font->first_ascii; if ((letter2>=0) && (letter2<Current_font->num_chars) ) { //not in font, draw as space font_kernpair *k = &Current_font->kern_data[i]; while( (k->c1 == (char)letter) && (k->c2<(char)letter2) && (i<Current_font->num_kern_pairs) ) { <== i++; k++; } if ( k->c2 == (char)letter2 ) { *spacing += k->offset; } } } } return letter; } | ||||
Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, enter flight in a mission then press Esc to bring up menu. | ||||
Additional Information | ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700001e61d at pc 0x10095d79c bp 0x7fff5fbfa050 sp 0x7fff5fbfa048 READ of size 1 at 0x61700001e61d thread T0 #0 0x10095d79b in get_char_width font.cpp:99 0000001 0x100960f37 in gr_get_string_size font.cpp:220 0000002 0x100862c06 in gr_get_string_size 2d.h:578 0000003 0x101dd3505 in split_str parselo.cpp:3364 0000004 0x10087159f in split_str parselo.h:202 0000005 0x101e8551f in popup_split_lines popup.cpp:377 0000006 0x101e8b52b in popup_init popup.cpp:544 0000007 0x101e9257f in popup_do popup.cpp:817 0000008 0x101e969b1 in popup popup.cpp:1013 0000009 0x100e037d5 in game_do_end_mission_popup keycontrol.cpp:1395 0000010 0x100e06967 in game_process_keys keycontrol.cpp:1610 #11 0x1002eec02 in game_frame freespace.cpp:4357 0000012 0x1002f473b in game_do_frame freespace.cpp:4791 0000013 0x10030029a in game_do_state freespace.cpp:6466 0000014 0x1008f1b89 in gameseq_process_events gamesequence.cpp:405 0000015 0x100306b18 in game_main freespace.cpp:7033 0000016 0x100308186 in SDL_main freespace.cpp:7167 0000017 0x10000287a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000018 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000019 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000020 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000021 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000022 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000023 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000024 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000025 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000026 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306 0000027 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36 0000028 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317 0000029 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99 0000030 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455 0000031 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000032 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516 0000033 0x100004993 in CustomApplicationMain SDLMain.m:227 0000034 0x100004410 in main SDLMain.m:377 0000035 0x1000015e3 in start (in FS2_Open (debug)) + 51 0000036 0x0 in 0x0 0x61700001e61d is located 0 bytes to the right of 669-byte region [0x61700001e380,0x61700001e61d) allocated by thread T0 here: #0 0x1054946d3 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 51 0000001 0x1025b560f in _vm_malloc stubs.cpp:571 0000002 0x100964c51 in gr_create_font font.cpp:416 0000003 0x10096a1a9 in parse_fonts_tbl font.cpp:579 0000004 0x10096a598 in gr_font_init font.cpp:601 0000005 0x1002c74d2 in game_init freespace.cpp:1852 0000006 0x1003065db in game_main freespace.cpp:6976 0000007 0x100308186 in SDL_main freespace.cpp:7167 0000008 0x10000287a in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000009 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000010 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 #11 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000012 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000013 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000014 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000015 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000016 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000017 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306 0000018 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36 0000019 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317 0000020 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99 0000021 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455 0000022 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000023 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516 0000024 0x100004993 in CustomApplicationMain SDLMain.m:227 0000025 0x100004410 in main SDLMain.m:377 0000026 0x1000015e3 in start (in FS2_Open (debug)) + 51 0000027 0x0 in 0x0 Shadow bytes around the buggy address: 0x1c2e00003c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1c2e00003cc0: 00 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2e00003cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2e00003ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2e00003d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==89217==ABORTING | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2013-04-03 12:04 | Echelon9 | New Issue | |
2013-04-22 12:40 | Echelon9 | Assigned To | => Echelon9 |
2013-04-22 12:40 | Echelon9 | Status | new => assigned |
2013-04-29 12:03 | Echelon9 | Changeset attached | => fs2open trunk r9659 |
2013-04-29 12:03 | Echelon9 | Note Added: 0014982 | |
2013-04-29 12:03 | Echelon9 | Status | assigned => resolved |
2013-04-29 12:03 | Echelon9 | Resolution | open => fixed |