View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002968 | FSSCP | public | 2013-12-01 01:38 | 2013-12-01 01:58 | |
| Reporter | Echelon9 | Assigned To | Echelon9 | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Target Version | 3.7.2 | ||||
| Summary | 0002968: AddressSanitizer: global-buffer-overflow in shield_info_reset() - relates to hud_target_change_check() | ||||
| Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10174. ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103ef2464 at pc 0x100a5eade bp 0x7fff5fbfba70 sp 0x7fff5fbfba68 READ of size 4 at 0x000103ef2464 thread T0 ==7964==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x100a5eadd in shield_info_reset hudshield.cpp:485 0000001 0x100a54c44 in hud_shield_hit_reset hudshield.cpp:514 0000002 0x1009b4d1c in hud_target_change_check hudtarget.cpp:4446 0000003 0x100cbe953 in hud_update_frame hud.cpp:1468 0000004 0x10016d992 in game_simulation_frame freespace.cpp:4044 0000005 0x100172671 in game_frame freespace.cpp:4399 0000006 0x10017806b in game_do_frame freespace.cpp:4814 0000007 0x100183ca0 in game_do_state freespace.cpp:6494 0000008 0x1007bdc82 in gameseq_process_events gamesequence.cpp:409 0000009 0x10018a6d8 in game_main freespace.cpp:7061 ... // reset the shield_hit_info data structure // pass NULL as objp if you only need to initialize a shield_hit_info without an // associated ship void shield_info_reset(object *objp, shield_hit_info *shi) { ... if (objp == NULL) { ... } else { shi->members = objp->n_quadrants + 1; <==== Invalid objp pointer ... } } void hud_shield_hit_reset(object *objp, int player) { shield_hit_info *shi; if (player) { shi = &Shield_hit_data[SHIELD_HIT_PLAYER]; } else { shi = &Shield_hit_data[SHIELD_HIT_TARGET]; } shield_info_reset(objp, shi); } void hud_target_change_check() { ... // Check if player subsystem target has changed, and reset necessary player flag if ( Player_ai->targeted_subsys != Player_ai->last_subsys_target ) { Player->subsys_in_view=-1; } // check if the main target has changed if (Player_ai->last_target != Player_ai->target_objnum) { if ( Player_ai->target_objnum != -1){ snd_play( &Snds[ship_get_sound(Player_obj, SND_TARGET_ACQUIRE)], 0.0f ); } ... player_stop_cargo_scan_sound(); hud_shield_hit_reset(&Objects[Player_ai->target_objnum]); | ||||
| Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, and destroy your target. Within a short period of time this bug should appear. | ||||
| Additional Information | ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103ef2464 at pc 0x100a5eade bp 0x7fff5fbfba70 sp 0x7fff5fbfba68 READ of size 4 at 0x000103ef2464 thread T0 ==7964==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x100a5eadd in shield_info_reset hudshield.cpp:485 0000001 0x100a54c44 in hud_shield_hit_reset hudshield.cpp:514 0000002 0x1009b4d1c in hud_target_change_check hudtarget.cpp:4446 0000003 0x100cbe953 in hud_update_frame hud.cpp:1468 0000004 0x10016d992 in game_simulation_frame freespace.cpp:4044 0000005 0x100172671 in game_frame freespace.cpp:4399 0000006 0x10017806b in game_do_frame freespace.cpp:4814 0000007 0x100183ca0 in game_do_state freespace.cpp:6494 0000008 0x1007bdc82 in gameseq_process_events gamesequence.cpp:409 0000009 0x10018a6d8 in game_main freespace.cpp:7061 0000010 0x10018be46 in SDL_main freespace.cpp:7195 #11 0x100002741 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000012 0x7fff8df88fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11 0000013 0x7fff8de7cc5c in _CFXNotificationPost (in CoreFoundation) + 2892 0000014 0x7fff85e6d4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67 0000015 0x7fff8ae42b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288 0000016 0x7fff8ae428ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194 0000017 0x7fff8ae3f795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569 0000018 0x7fff8ae3f1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241 0000019 0x7fff85e8bea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293 0000020 0x7fff85e8bd1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000021 0x7fff8d19fe1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380 0000022 0x7fff8d19fc31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30 0000023 0x7fff8d19fb35 in aeProcessAppleEvent (in AE) + 314 0000024 0x7fff8aa4f5f0 in AEProcessAppleEvent (in HIToolbox) + 55 0000025 0x7fff8ae3b0f5 in _DPSNextEvent (in AppKit) + 1025 0000026 0x7fff8ae3a8da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121 0000027 0x7fff8ae2e9cb in -[NSApplication run] (in AppKit) + 552 0000028 0x100004831 in CustomApplicationMain SDLMain.m:227 0000029 0x10000430a in main SDLMain.m:377 0000030 0x1000012d3 in start (in FS2_Open (debug)) + 51 0000031 0x0 in 0x0 0x000103ef2464 is located 28 bytes to the left of global variable 'Viewer_obj' from 'fs2open/trunk/fs2_open/code/object/object.cpp' (0x103ef2480) of size 8 0x000103ef2464 is located 28 bytes to the right of global variable 'Player_obj' from 'fs2open/trunk/fs2_open/code/object/object.cpp' (0x103ef2440) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x1000207de430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de470: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x1000207de480: f9 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9[f9]f9 f9 f9 0x1000207de490: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x1000207de4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000207de4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==7964==ABORTING | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-12-01 01:38 | Echelon9 | New Issue | |
| 2013-12-01 01:38 | Echelon9 | Status | new => assigned |
| 2013-12-01 01:38 | Echelon9 | Assigned To | => Echelon9 |
| 2013-12-01 01:58 | Echelon9 | Changeset attached | => fs2open trunk r10175 |
| 2013-12-01 01:58 | Echelon9 | Note Added: 0015475 | |
| 2013-12-01 01:58 | Echelon9 | Status | assigned => resolved |
| 2013-12-01 01:58 | Echelon9 | Resolution | open => fixed |
