View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002953 | FSSCP | public | 2013-11-16 04:59 | 2021-01-10 01:40 | |
Reporter | Echelon9 | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | suspended | ||
Product Version | 3.7.1 | ||||
Summary | 0002953: AddressSanitizer: stack-buffer-overflow in ade_set_args() | ||||
Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10041. ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5fbfd320 at pc 0x1028940c0 bp 0x7fff5fbfcb10 sp 0x7fff5fbfcb08 READ of size 4 at 0x7fff5fbfd320 thread T0 #0 0x1028940bf in ade_set_args lua.cpp:15069 0000001 0x1028971e6 in script_state::CreateLuaState lua.cpp:14631 0000002 0x10292a63b in script_init scripting.cpp:187 0000003 0x10014a1c6 in game_init freespace.cpp:1853 0000004 0x10018b11b in game_main freespace.cpp:6995 0000005 0x10018cdc6 in SDL_main freespace.cpp:7186 ... int ade_set_args(lua_State *L, char *fmt, ...) { //Start throught va_list vl; int nargs; int setargs; //args actually set va_start(vl, fmt); nargs = 0; setargs = 0; while(*fmt != '\0') { switch(*fmt++) { ... case 'o': { //WMC - char must be 1 byte, foo. Assert(sizeof(char)==1); //WMC - step by step //Copy over objectdata ade_odata od = (ade_odata) va_arg(vl, ade_odata); //Create new LUA object and get handle char *newod = (char*)lua_newuserdata(L, od.size + sizeof(ODATA_SIG_TYPE)); //Create or get object metatable luaL_getmetatable(L, Ade_table_entries[od.idx].Name); //Set the metatable for the object lua_setmetatable(L, -2); //Copy the actual object data to the Lua object memcpy(newod, od.buf, od.size); //Also copy in the unique sig if(od.sig != NULL) memcpy(newod + od.size, od.sig, sizeof(ODATA_SIG_TYPE)); <================ else { ODATA_SIG_TYPE tempsig = ODATA_SIG_DEFAULT; memcpy(newod + od.size, &tempsig, sizeof(ODATA_SIG_TYPE)); } break; | ||||
Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, error reported during startup. | ||||
Additional Information | ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5fbfd320 at pc 0x1028940c0 bp 0x7fff5fbfcb10 sp 0x7fff5fbfcb08 READ of size 4 at 0x7fff5fbfd320 thread T0 #0 0x1028940bf in ade_set_args lua.cpp:15069 0000001 0x1028971e6 in script_state::CreateLuaState lua.cpp:14631 0000002 0x10292a63b in script_init scripting.cpp:187 0000003 0x10014a1c6 in game_init freespace.cpp:1853 0000004 0x10018b11b in game_main freespace.cpp:6995 0000005 0x10018cdc6 in SDL_main freespace.cpp:7186 0000006 0x100003401 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000007 0x7fff8fb26fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11 0000008 0x7fff8fa1ac5c in _CFXNotificationPost (in CoreFoundation) + 2892 0000009 0x7fff8b4ea4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67 0000010 0x7fff8e920b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288 #11 0x7fff8e9208ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194 0000012 0x7fff8e91d795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569 0000013 0x7fff8e91d1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241 0000014 0x7fff8b508ea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293 0000015 0x7fff8b508d1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000016 0x7fff8f743e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380 0000017 0x7fff8f743c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30 0000018 0x7fff8f743b35 in aeProcessAppleEvent (in AE) + 314 0000019 0x7fff8c32c5f0 in AEProcessAppleEvent (in HIToolbox) + 55 0000020 0x7fff8e9190f5 in _DPSNextEvent (in AppKit) + 1025 0000021 0x7fff8e9188da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121 0000022 0x7fff8e90c9cb in -[NSApplication run] (in AppKit) + 552 0000023 0x1000054f1 in CustomApplicationMain SDLMain.m:227 0000024 0x100004fca in main SDLMain.m:377 0000025 0x100001f93 in start (in FS2_Open (debug)) + 51 0000026 0x0 in 0x0 Address 0x7fff5fbfd320 is located in stack of thread T0 at offset 576 in frame #0 0x102891f0f in ade_set_args lua.cpp:15011 This frame has 9 object(short): [32, 40) 'L.addr' [96, 104) 'fmt.addr' [160, 184) 'vl' [224, 228) 'nargs' [288, 292) 'setargs' [352, 360) 'short' [416, 448) 'od' [480, 488) 'newod' [544, 548) 'tempsig' <== Memory access at offset 576 overflows this variable HINT: this may be signed char false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x1fffebf7fa10: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x1fffebf7fa20: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 0x1fffebf7fa30: 00 00 00 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 0x1fffebf7fa40: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 0x1fffebf7fa50: 00 00 00 00 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 =>0x1fffebf7fa60: 04 f4 f4 f4[f3]f3 f3 f3 00 00 00 00 00 00 00 00 0x1fffebf7fa70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1fffebf7fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1fffebf7fa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1fffebf7faa0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x1fffebf7fab0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==82223==ABORTING | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2013-11-16 04:59 | Echelon9 | New Issue | |
2013-11-20 08:32 | Echelon9 | Assigned To | => Echelon9 |
2013-11-20 08:32 | Echelon9 | Status | new => assigned |
2015-04-16 04:24 | Goober5000 | Target Version | 3.7.2 => |
2021-01-10 01:40 | MjnMixael | Assigned To | Echelon9 => |
2021-01-10 01:40 | MjnMixael | Status | assigned => closed |
2021-01-10 01:40 | MjnMixael | Resolution | open => suspended |
2021-01-10 01:40 | MjnMixael | Note Added: 0017097 |