All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002854FSSCPpublic2013-04-26 12:102013-04-26 12:12
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeverityminorReproducibilitysometimes
Status resolvedResolutionfixed 
Product Version3.6.19 
Target Version3.7.0 
Summary0002854: AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9648.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x000104a010b8 at pc 0x101fd154d bp 0x7fff5fbf8690 sp 0x7fff5fbf8688
READ of size 4 at 0x000104a010b8 thread T0
    #0 0x101fd154c in do_subobj_hit_stuff shiphit.cpp:663
    0000001 0x101ffb7b8 in ship_do_damage shiphit.cpp:2127
    0000002 0x102001d3d in ship_apply_global_damage shiphit.cpp:2514
    0000003 0x1025af177 in shockwave_move shockwave.cpp:335
    0000004 0x1025b402e in shockwave_move_all shockwave.cpp:625
    0000005 0x1002efb1b in game_simulation_frame freespace.cpp:4037
    0000006 0x1002f43a0 in game_frame freespace.cpp:4380
    0000007 0x1002f9bbb in game_do_frame freespace.cpp:4791
    0000008 0x1003056f6 in game_do_state freespace.cpp:6467
    0000009 0x100900cc8 in gameseq_process_events gamesequence.cpp:405
    0000010 0x10030bf86 in game_main freespace.cpp:7034
    #11 0x10030d624 in SDL_main freespace.cpp:7168
    ...

        if ((dist < 10.0f) && ((other_obj) && (other_obj->type == OBJ_SHOCKWAVE))) { // Goober5000 check for NULL <===
            damage_left *= 4.0f * Weapon_info[weapon_info_index].subsystem_factor;
            damage_if_hull *= 4.0f * Weapon_info[weapon_info_index].armor_factor;
        }
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, play through a asteroid gauntlet mission where it is likely to occur
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x000104a010b8 at pc 0x101fd154d bp 0x7fff5fbf8690 sp 0x7fff5fbf8688
READ of size 4 at 0x000104a010b8 thread T0
    #0 0x101fd154c in do_subobj_hit_stuff shiphit.cpp:663
    0000001 0x101ffb7b8 in ship_do_damage shiphit.cpp:2127
    0000002 0x102001d3d in ship_apply_global_damage shiphit.cpp:2514
    0000003 0x1025af177 in shockwave_move shockwave.cpp:335
    0000004 0x1025b402e in shockwave_move_all shockwave.cpp:625
    0000005 0x1002efb1b in game_simulation_frame freespace.cpp:4037
    0000006 0x1002f43a0 in game_frame freespace.cpp:4380
    0000007 0x1002f9bbb in game_do_frame freespace.cpp:4791
    0000008 0x1003056f6 in game_do_state freespace.cpp:6467
    0000009 0x100900cc8 in gameseq_process_events gamesequence.cpp:405
    0000010 0x10030bf86 in game_main freespace.cpp:7034
    #11 0x10030d624 in SDL_main freespace.cpp:7168
    0000012 0x100003183 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000013 0x7fff8e0f0ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000014 0x7fff9019ee25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000015 0x7fff8ab3355c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000016 0x7fff8ab33295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000017 0x7fff8ab30481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000018 0x7fff8ab3007b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000019 0x7fff901b870a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000020 0x7fff901b856c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000021 0x7fff8f100077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000022 0x7fff8f0ffed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000023 0x7fff8f0ffd98 in aeProcessAppleEvent (in AE) + 317
    0000024 0x7fff8d126708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000025 0x7fff8ab2c865 in _DPSNextEvent (in AppKit) + 1455
    0000026 0x7fff8ab2be21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000027 0x7fff8ab231d2 in -[NSApplication run] (in AppKit) + 516
    0000028 0x1000052e2 in CustomApplicationMain SDLMain.m:227
    0000029 0x100004d4f in main SDLMain.m:377
    0000030 0x100001ea3 in start (in FS2_Open (debug)) + 51
    0000031 0x0 in 0x0
0x000104a010b8 is located 259032 bytes to the right of global variable 'Weapons' from 'trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x104879ae0) of size 1344000
Shadow bytes around the buggy address:
  0x1000209401c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209401d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209401e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209401f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x100020940210: f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940220: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940230: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940240: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940250: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020940260: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==24973==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-04-26 12:12

developer   ~0014961

Every access to the Weapon_info[] array in this function ensures the index is not negative, except this one. Odd

Echelon9

2013-04-26 12:12

developer   ~0014962

Fix committed to trunk@9649.

Related Changesets

fs2open: trunk r9649

2013-04-26 09:04

Echelon9


Ported: N/A

Details Diff		 Fix Mantis 2854: AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff() Affected Issues
0002854
mod - /trunk/fs2_open/code/ship/shiphit.cpp Diff File

Issue History

Date Modified Username Field Change
2013-04-26 12:10 Echelon9 New Issue
2013-04-26 12:10 Echelon9 Status new => assigned
2013-04-26 12:10 Echelon9 Assigned To => Echelon9
2013-04-26 12:11 Echelon9 Summary ERROR: AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff() => AddressSanitizer: global-buffer-overflow in do_subobj_hit_stuff()
2013-04-26 12:12 Echelon9 Note Added: 0014961
2013-04-26 12:12 Echelon9 Changeset attached => fs2open trunk r9649
2013-04-26 12:12 Echelon9 Note Added: 0014962
2013-04-26 12:12 Echelon9 Status assigned => resolved
2013-04-26 12:12 Echelon9 Resolution open => fixed