View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002854 | FSSCP | public | 2013-04-26 12:10 | 2013-04-26 12:12 | |
Reporter | Echelon9 | Assigned To | Echelon9 | ||
Priority | normal | Severity | minor | Reproducibility | sometimes |
Status | resolved | Resolution | fixed | ||
Product Version | 3.6.19 | ||||
Target Version | 3.7.0 | ||||
Summary | 0002854: AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff() | ||||
Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9648. ERROR: AddressSanitizer: global-buffer-overflow on address 0x000104a010b8 at pc 0x101fd154d bp 0x7fff5fbf8690 sp 0x7fff5fbf8688 READ of size 4 at 0x000104a010b8 thread T0 #0 0x101fd154c in do_subobj_hit_stuff shiphit.cpp:663 0000001 0x101ffb7b8 in ship_do_damage shiphit.cpp:2127 0000002 0x102001d3d in ship_apply_global_damage shiphit.cpp:2514 0000003 0x1025af177 in shockwave_move shockwave.cpp:335 0000004 0x1025b402e in shockwave_move_all shockwave.cpp:625 0000005 0x1002efb1b in game_simulation_frame freespace.cpp:4037 0000006 0x1002f43a0 in game_frame freespace.cpp:4380 0000007 0x1002f9bbb in game_do_frame freespace.cpp:4791 0000008 0x1003056f6 in game_do_state freespace.cpp:6467 0000009 0x100900cc8 in gameseq_process_events gamesequence.cpp:405 0000010 0x10030bf86 in game_main freespace.cpp:7034 #11 0x10030d624 in SDL_main freespace.cpp:7168 ... if ((dist < 10.0f) && ((other_obj) && (other_obj->type == OBJ_SHOCKWAVE))) { // Goober5000 check for NULL <=== damage_left *= 4.0f * Weapon_info[weapon_info_index].subsystem_factor; damage_if_hull *= 4.0f * Weapon_info[weapon_info_index].armor_factor; } | ||||
Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, play through a asteroid gauntlet mission where it is likely to occur | ||||
Additional Information | ERROR: AddressSanitizer: global-buffer-overflow on address 0x000104a010b8 at pc 0x101fd154d bp 0x7fff5fbf8690 sp 0x7fff5fbf8688 READ of size 4 at 0x000104a010b8 thread T0 #0 0x101fd154c in do_subobj_hit_stuff shiphit.cpp:663 0000001 0x101ffb7b8 in ship_do_damage shiphit.cpp:2127 0000002 0x102001d3d in ship_apply_global_damage shiphit.cpp:2514 0000003 0x1025af177 in shockwave_move shockwave.cpp:335 0000004 0x1025b402e in shockwave_move_all shockwave.cpp:625 0000005 0x1002efb1b in game_simulation_frame freespace.cpp:4037 0000006 0x1002f43a0 in game_frame freespace.cpp:4380 0000007 0x1002f9bbb in game_do_frame freespace.cpp:4791 0000008 0x1003056f6 in game_do_state freespace.cpp:6467 0000009 0x100900cc8 in gameseq_process_events gamesequence.cpp:405 0000010 0x10030bf86 in game_main freespace.cpp:7034 #11 0x10030d624 in SDL_main freespace.cpp:7168 0000012 0x100003183 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000013 0x7fff8e0f0ed9 in _CFXNotificationPost (in CoreFoundation) + 2553 0000014 0x7fff9019ee25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63 0000015 0x7fff8ab3355c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291 0000016 0x7fff8ab33295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215 0000017 0x7fff8ab30481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565 0000018 0x7fff8ab3007b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350 0000019 0x7fff901b870a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307 0000020 0x7fff901b856c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000021 0x7fff8f100077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306 0000022 0x7fff8f0ffed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36 0000023 0x7fff8f0ffd98 in aeProcessAppleEvent (in AE) + 317 0000024 0x7fff8d126708 in AEProcessAppleEvent (in HIToolbox) + 99 0000025 0x7fff8ab2c865 in _DPSNextEvent (in AppKit) + 1455 0000026 0x7fff8ab2be21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 0000027 0x7fff8ab231d2 in -[NSApplication run] (in AppKit) + 516 0000028 0x1000052e2 in CustomApplicationMain SDLMain.m:227 0000029 0x100004d4f in main SDLMain.m:377 0000030 0x100001ea3 in start (in FS2_Open (debug)) + 51 0000031 0x0 in 0x0 0x000104a010b8 is located 259032 bytes to the right of global variable 'Weapons' from 'trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x104879ae0) of size 1344000 Shadow bytes around the buggy address: 0x1000209401c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000209401d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000209401e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000209401f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020940200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x100020940210: f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 0x100020940220: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020940230: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020940240: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020940250: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x100020940260: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==24973==ABORTING | ||||
Tags | No tags attached. | ||||
|
Every access to the Weapon_info[] array in this function ensures the index is not negative, except this one. Odd |
|
Fix committed to trunk@9649. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-04-26 12:10 | Echelon9 | New Issue | |
2013-04-26 12:10 | Echelon9 | Status | new => assigned |
2013-04-26 12:10 | Echelon9 | Assigned To | => Echelon9 |
2013-04-26 12:11 | Echelon9 | Summary | ERROR: AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff() => AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff() |
2013-04-26 12:12 | Echelon9 | Note Added: 0014961 | |
2013-04-26 12:12 | Echelon9 | Changeset attached | => fs2open trunk r9649 |
2013-04-26 12:12 | Echelon9 | Note Added: 0014962 | |
2013-04-26 12:12 | Echelon9 | Status | assigned => resolved |
2013-04-26 12:12 | Echelon9 | Resolution | open => fixed |