2018-12-15 23:27 EST


View Issue Details Jump to Notes ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0002970FSSCPmultiplayerpublic2013-12-03 07:18
ReporterEchelon9 
Assigned ToEchelon9 
PrioritynormalSeverityminorReproducibilityrandom
StatusresolvedResolutionfixed 
Product Version3.7.1 
Target Version3.7.2Fixed in Version 
Summary0002970: AddressSanitizer: global-buffer-overflow in show_ship_subsys_count()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10186.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010455cab4 at pc 0x10217a814 bp 0x7fff5fbf80d0 sp 0x7fff5fbf80c8
READ of size 4 at 0x00010455cab4 thread T0
==14980==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x10217a813 in show_ship_subsys_count ship.cpp:8867
    0000001 0x10217e159 in ship_create ship.cpp:9004
    0000002 0x1010830a7 in parse_create_object_sub missionparse.cpp:1777
    0000003 0x101095e3b in parse_create_object missionparse.cpp:1736
    0000004 0x1016c3b84 in multi_respawn_common_stuff multi_respawn.cpp:332
    0000005 0x1016cdeaf in multi_respawn_ai multi_respawn.cpp:493
    0000006 0x1016d011b in multi_respawn_process_packet multi_respawn.cpp:651
    0000007 0x1015d734f in process_packet_normal multi.cpp:666
    0000008 0x1015dae2c in multi_process_bigdata multi.cpp:977
    0000009 0x1015dd1e0 in multi_process_incoming multi.cpp:1093
    0000010 0x1015dd5b5 in multi_do_frame multi.cpp:1149
    #11 0x10013f57f in game_do_networking freespace.cpp:1097
    0000012 0x10017936d in game_do_state_common freespace.cpp:6425
    0000013 0x100184799 in game_do_state freespace.cpp:6440
    0000014 0x1007bea02 in gameseq_process_events gamesequence.cpp:409
    0000015 0x10018b3e8 in game_main freespace.cpp:7062
    ...

void show_ship_subsys_count()
{
    object *objp;
    int count = 0;
    int o_type = 0;

    for ( objp = GET_FIRST(&obj_used_list); objp != END_OF_LIST(&obj_used_list); objp = GET_NEXT(objp) ) {
        o_type = (int)objp->type;
        if (o_type == OBJ_SHIP) {
            count += Ship_info[Ships[o_type].ship_info_index].n_subsystems; <===== HERE
        }
    }

    if (count > Ship_subsys_hwm) {
        Ship_subsys_hwm = count;
    }
}
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, and join a multiplayer game hosted on a standalone server. With enough in game activity, you will eventually trigger this bug - it's not yet clear if Player action causes it.
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x00010455cab4 at pc 0x10217a814 bp 0x7fff5fbf80d0 sp 0x7fff5fbf80c8
READ of size 4 at 0x00010455cab4 thread T0
==14980==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x10217a813 in show_ship_subsys_count ship.cpp:8867
    0000001 0x10217e159 in ship_create ship.cpp:9004
    0000002 0x1010830a7 in parse_create_object_sub missionparse.cpp:1777
    0000003 0x101095e3b in parse_create_object missionparse.cpp:1736
    0000004 0x1016c3b84 in multi_respawn_common_stuff multi_respawn.cpp:332
    0000005 0x1016cdeaf in multi_respawn_ai multi_respawn.cpp:493
    0000006 0x1016d011b in multi_respawn_process_packet multi_respawn.cpp:651
    0000007 0x1015d734f in process_packet_normal multi.cpp:666
    0000008 0x1015dae2c in multi_process_bigdata multi.cpp:977
    0000009 0x1015dd1e0 in multi_process_incoming multi.cpp:1093
    0000010 0x1015dd5b5 in multi_do_frame multi.cpp:1149
    #11 0x10013f57f in game_do_networking freespace.cpp:1097
    0000012 0x10017936d in game_do_state_common freespace.cpp:6425
    0000013 0x100184799 in game_do_state freespace.cpp:6440
    0000014 0x1007bea02 in gameseq_process_events gamesequence.cpp:409
    0000015 0x10018b3e8 in game_main freespace.cpp:7062
    0000016 0x10018cb56 in SDL_main freespace.cpp:7196
    0000017 0x100003451 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000018 0x7fff8df88fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000019 0x7fff8de7cc5c in _CFXNotificationPost (in CoreFoundation) + 2892
    0000020 0x7fff85e6d4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000021 0x7fff8ae42b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000022 0x7fff8ae428ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000023 0x7fff8ae3f795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000024 0x7fff8ae3f1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000025 0x7fff85e8bea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000026 0x7fff85e8bd1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000027 0x7fff8d19fe1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000028 0x7fff8d19fc31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000029 0x7fff8d19fb35 in aeProcessAppleEvent (in AE) + 314
    0000030 0x7fff8aa4f5f0 in AEProcessAppleEvent (in HIToolbox) + 55
    0000031 0x7fff8ae3b0f5 in _DPSNextEvent (in AppKit) + 1025
    0000032 0x7fff8ae3a8da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000033 0x7fff8ae2e9cb in -[NSApplication run] (in AppKit) + 552
    0000034 0x100005541 in CustomApplicationMain SDLMain.m:227
    0000035 0x10000501a in main SDLMain.m:377
    0000036 0x100001fe3 in start (in FS2_Open (debug)) + 51
    0000037 0x0 in 0x0

0x00010455cab4 is located 3540 bytes to the right of global variable 'Wings' from 'fs2_open/code/ship/ship.cpp' (0x104550ac0) of size 45600
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x1000208ab900: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab910: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab920: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab930: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab940: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x1000208ab950: f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab960: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab970: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab980: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab990: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000208ab9a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==14980==ABORTING
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0015496

Echelon9 (developer)

The offending line of code just looks wrong. Should "o_type" be instead "objp->instance"?

This would result in a more common form of Ship_info[Ships[objp->instance].ship_info_index].n_subsystems

~0015497

Echelon9 (developer)

Fix committed to trunk@10187.
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2013-12-03 07:11 Echelon9 New Issue
2013-12-03 07:16 Echelon9 Note Added: 0015496
2013-12-03 07:16 Echelon9 Assigned To => Echelon9
2013-12-03 07:16 Echelon9 Status new => assigned
2013-12-03 07:18 Echelon9 Changeset attached => fs2open trunk r10187
2013-12-03 07:18 Echelon9 Note Added: 0015497
2013-12-03 07:18 Echelon9 Status assigned => resolved
2013-12-03 07:18 Echelon9 Resolution open => fixed
+Issue History