View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002850 | FSSCP | public | 2013-04-23 12:36 | 2013-04-28 11:41 | |
Reporter | Echelon9 | Assigned To | chief1983 | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 3.6.19 | ||||
Target Version | 3.7.0 | ||||
Summary | 0002850: AddressSanitizer: global-buffer-overflow in emp_randomize_chars() emp.cpp:613 | ||||
Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9646. ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001033c617d at pc 0x1025eb9fe bp 0x7fff5fbfb690 sp 0x7fff5fbfb688 READ of size 1 at 0x0001033c617d thread T0 #0 0x1025eb9fd in emp_randomize_chars emp.cpp:613 0000001 0x1025ea726 in emp_maybe_reformat_text emp.cpp:566 0000002 0x1025e9886 in emp_hud_string emp.cpp:480 0000003 0x100db590d in HudGauge::renderString hud.cpp:748 0000004 0x10112cea7 in HudGaugeDirectives::render missiontraining.cpp:320 0000005 0x100dd1421 in hud_render_gauges hud.cpp:1836 0000006 0x100dcf974 in hud_render_all hud.cpp:1759 0000007 0x1002f08da in game_render_hud freespace.cpp:4155 0000008 0x1002f4f47 in game_frame freespace.cpp:4426 0000009 0x1002f9bfb in game_do_frame freespace.cpp:4791 0000010 0x100305736 in game_do_state freespace.cpp:6466 #11 0x100900d08 in gameseq_process_events gamesequence.cpp:405 0000012 0x10030bfc6 in game_main freespace.cpp:7033 0000013 0x10030d664 in SDL_main freespace.cpp:7167 ... // randomize the chars in a string void emp_randomize_chars(char *str) { ... // shuffle chars around for(idx=0; idx<(int)(strlen(str)-1); idx++){ if(frand_range(0.0f, 1.0f) < Emp_intensity){ char_index = Emp_random_char[(int)frand_range(0.0f, (float)(NUM_RANDOM_CHARS - 1))]; <======== str[idx] = Emp_random_char[char_index]; } } | ||||
Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, progress to flight in "As Lightning Falls" - wait for EMP from lightning to really kick up | ||||
Additional Information | ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001033c617d at pc 0x1025eb9fe bp 0x7fff5fbfb690 sp 0x7fff5fbfb688 READ of size 1 at 0x0001033c617d thread T0 #0 0x1025eb9fd in emp_randomize_chars emp.cpp:613 0000001 0x1025ea726 in emp_maybe_reformat_text emp.cpp:566 0000002 0x1025e9886 in emp_hud_string emp.cpp:480 0000003 0x100db590d in HudGauge::renderString hud.cpp:748 0000004 0x10112cea7 in HudGaugeDirectives::render missiontraining.cpp:320 0000005 0x100dd1421 in hud_render_gauges hud.cpp:1836 0000006 0x100dcf974 in hud_render_all hud.cpp:1759 0000007 0x1002f08da in game_render_hud freespace.cpp:4155 0000008 0x1002f4f47 in game_frame freespace.cpp:4426 0000009 0x1002f9bfb in game_do_frame freespace.cpp:4791 0000010 0x100305736 in game_do_state freespace.cpp:6466 #11 0x100900d08 in gameseq_process_events gamesequence.cpp:405 0000012 0x10030bfc6 in game_main freespace.cpp:7033 0000013 0x10030d664 in SDL_main freespace.cpp:7167 0000014 0x1000031c3 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000015 0x7fff9502aed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000016 0x7fff8b00de25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000017 0x7fff9096f55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000018 0x7fff9096f295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000019 0x7fff9096c481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000020 0x7fff9096c07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000021 0x7fff8b02770a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000022 0x7fff8b02756c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000023 0x7fff933f0077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306 0000024 0x7fff933efed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36 0000025 0x7fff933efd98 in aeProcessAppleEvent (in AE) + 317 0000026 0x7fff8db58708 in AEProcessAppleEvent (in HIToolbox) + 99 0000027 0x7fff90968865 in _DPSNextEvent (in AppKit) + 1455 0000028 0x7fff90967e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000029 0x7fff9095f1d2 in -[NSApplication run] (in AppKit) + 516 0000030 0x100005322 in CustomApplicationMain SDLMain.m:227 0000031 0x100004d8f in main SDLMain.m:377 0000032 0x100001ee3 in start (in FS2_Open (debug)) + 51 0000033 0x0 in 0x0 0x0001033c617d is located 25 bytes to the right of global variable 'mod_val' from '/fs2_open/projects/Xcode4/../../code/weapon/emp.cpp' (0x1033c6160) of size 4 Shadow bytes around the buggy address: 0x100020678bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c10: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 =>0x100020678c20: 00 00 00 00 00 00 03 f9 f9 f9 f9 f9 04 f9 f9[f9] 0x100020678c30:f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100020678c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==19350==ABORTING | ||||
Tags | No tags attached. | ||||
|
Well wasn't that ironic. Bug has existed since Volition source release (10+ years) whereby the scrambled HUD effect from EMP or lightning strikes would actually begin scrambling the engine's memory model. This would occur because the character code was used as an index into an array, rather than the character's position in the array. Patch to follow. |
|
fix-mantis-2850_emp_randomize_chars.patch (529 bytes)
Index: code/weapon/emp.cpp =================================================================== --- code/weapon/emp.cpp (revision 9646) +++ code/weapon/emp.cpp (working copy) @@ -609,7 +609,7 @@ // shuffle chars around for(idx=0; idx<(int)(strlen(str)-1); idx++){ if(frand_range(0.0f, 1.0f) < Emp_intensity){ - char_index = Emp_random_char[(int)frand_range(0.0f, (float)(NUM_RANDOM_CHARS - 1))]; + char_index = (int)frand_range(0.0f, (float)(NUM_RANDOM_CHARS - 1)); str[idx] = Emp_random_char[char_index]; } } |
|
looks good to me |
|
Fix committed to trunk@9653. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-04-23 12:36 | Echelon9 | New Issue | |
2013-04-23 12:36 | Echelon9 | Status | new => assigned |
2013-04-23 12:36 | Echelon9 | Assigned To | => Echelon9 |
2013-04-23 12:38 | Echelon9 | Note Added: 0014956 | |
2013-04-23 12:39 | Echelon9 | File Added: fix-mantis-2850_emp_randomize_chars.patch | |
2013-04-23 12:39 | Echelon9 | Assigned To | Echelon9 => chief1983 |
2013-04-23 12:39 | Echelon9 | Status | assigned => code review |
2013-04-28 10:05 | niffiwan | Note Added: 0014968 | |
2013-04-28 11:41 | Echelon9 | Changeset attached | => fs2open trunk r9653 |
2013-04-28 11:41 | Echelon9 | Note Added: 0014969 | |
2013-04-28 11:41 | Echelon9 | Status | code review => resolved |
2013-04-28 11:41 | Echelon9 | Resolution | open => fixed |