View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002970 | FSSCP | multiplayer | public | 2013-12-03 12:11 | 2013-12-03 12:18 |
| Reporter | Echelon9 | Assigned To | Echelon9 | ||
| Priority | normal | Severity | minor | Reproducibility | random |
| Status | resolved | Resolution | fixed | ||
| Product Version | 3.7.1 | ||||
| Target Version | 3.7.2 | ||||
| Summary | 0002970: AddressSanitizer: global-buffer-overflow in show_ship_subsys_count() | ||||
| Description | Reported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10186. ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010455cab4 at pc 0x10217a814 bp 0x7fff5fbf80d0 sp 0x7fff5fbf80c8 READ of size 4 at 0x00010455cab4 thread T0 ==14980==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x10217a813 in show_ship_subsys_count ship.cpp:8867 0000001 0x10217e159 in ship_create ship.cpp:9004 0000002 0x1010830a7 in parse_create_object_sub missionparse.cpp:1777 0000003 0x101095e3b in parse_create_object missionparse.cpp:1736 0000004 0x1016c3b84 in multi_respawn_common_stuff multi_respawn.cpp:332 0000005 0x1016cdeaf in multi_respawn_ai multi_respawn.cpp:493 0000006 0x1016d011b in multi_respawn_process_packet multi_respawn.cpp:651 0000007 0x1015d734f in process_packet_normal multi.cpp:666 0000008 0x1015dae2c in multi_process_bigdata multi.cpp:977 0000009 0x1015dd1e0 in multi_process_incoming multi.cpp:1093 0000010 0x1015dd5b5 in multi_do_frame multi.cpp:1149 #11 0x10013f57f in game_do_networking freespace.cpp:1097 0000012 0x10017936d in game_do_state_common freespace.cpp:6425 0000013 0x100184799 in game_do_state freespace.cpp:6440 0000014 0x1007bea02 in gameseq_process_events gamesequence.cpp:409 0000015 0x10018b3e8 in game_main freespace.cpp:7062 ... void show_ship_subsys_count() { object *objp; int count = 0; int o_type = 0; for ( objp = GET_FIRST(&obj_used_list); objp != END_OF_LIST(&obj_used_list); objp = GET_NEXT(objp) ) { o_type = (int)objp->type; if (o_type == OBJ_SHIP) { count += Ship_info[Ships[o_type].ship_info_index].n_subsystems; <===== HERE } } if (count > Ship_subsys_hwm) { Ship_subsys_hwm = count; } } | ||||
| Steps To Reproduce | 1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer). 2. Build with -fsanitize=address C/C++ flag 3. Run the game with mediavps 3.6.12, and join a multiplayer game hosted on a standalone server. With enough in game activity, you will eventually trigger this bug - it's not yet clear if Player action causes it. | ||||
| Additional Information | ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010455cab4 at pc 0x10217a814 bp 0x7fff5fbf80d0 sp 0x7fff5fbf80c8 READ of size 4 at 0x00010455cab4 thread T0 ==14980==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x10217a813 in show_ship_subsys_count ship.cpp:8867 0000001 0x10217e159 in ship_create ship.cpp:9004 0000002 0x1010830a7 in parse_create_object_sub missionparse.cpp:1777 0000003 0x101095e3b in parse_create_object missionparse.cpp:1736 0000004 0x1016c3b84 in multi_respawn_common_stuff multi_respawn.cpp:332 0000005 0x1016cdeaf in multi_respawn_ai multi_respawn.cpp:493 0000006 0x1016d011b in multi_respawn_process_packet multi_respawn.cpp:651 0000007 0x1015d734f in process_packet_normal multi.cpp:666 0000008 0x1015dae2c in multi_process_bigdata multi.cpp:977 0000009 0x1015dd1e0 in multi_process_incoming multi.cpp:1093 0000010 0x1015dd5b5 in multi_do_frame multi.cpp:1149 #11 0x10013f57f in game_do_networking freespace.cpp:1097 0000012 0x10017936d in game_do_state_common freespace.cpp:6425 0000013 0x100184799 in game_do_state freespace.cpp:6440 0000014 0x1007bea02 in gameseq_process_events gamesequence.cpp:409 0000015 0x10018b3e8 in game_main freespace.cpp:7062 0000016 0x10018cb56 in SDL_main freespace.cpp:7196 0000017 0x100003451 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300 0000018 0x7fff8df88fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11 0000019 0x7fff8de7cc5c in _CFXNotificationPost (in CoreFoundation) + 2892 0000020 0x7fff85e6d4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67 0000021 0x7fff8ae42b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288 0000022 0x7fff8ae428ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194 0000023 0x7fff8ae3f795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569 0000024 0x7fff8ae3f1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241 0000025 0x7fff85e8bea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293 0000026 0x7fff85e8bd1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105 0000027 0x7fff8d19fe1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380 0000028 0x7fff8d19fc31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30 0000029 0x7fff8d19fb35 in aeProcessAppleEvent (in AE) + 314 0000030 0x7fff8aa4f5f0 in AEProcessAppleEvent (in HIToolbox) + 55 0000031 0x7fff8ae3b0f5 in _DPSNextEvent (in AppKit) + 1025 0000032 0x7fff8ae3a8da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121 0000033 0x7fff8ae2e9cb in -[NSApplication run] (in AppKit) + 552 0000034 0x100005541 in CustomApplicationMain SDLMain.m:227 0000035 0x10000501a in main SDLMain.m:377 0000036 0x100001fe3 in start (in FS2_Open (debug)) + 51 0000037 0x0 in 0x0 0x00010455cab4 is located 3540 bytes to the right of global variable 'Wings' from 'fs2_open/code/ship/ship.cpp' (0x104550ac0) of size 45600 SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x1000208ab900: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab910: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab920: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab930: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab940: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x1000208ab950: f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab960: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab970: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab980: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab990: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x1000208ab9a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==14980==ABORTING | ||||
| Tags | No tags attached. | ||||
|
|
The offending line of code just looks wrong. Should "o_type" be instead "objp->instance"? This would result in a more common form of Ship_info[Ships[objp->instance].ship_info_index].n_subsystems |
|
|
Fix committed to trunk@10187. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-12-03 12:11 | Echelon9 | New Issue | |
| 2013-12-03 12:16 | Echelon9 | Note Added: 0015496 | |
| 2013-12-03 12:16 | Echelon9 | Assigned To | => Echelon9 |
| 2013-12-03 12:16 | Echelon9 | Status | new => assigned |
| 2013-12-03 12:18 | Echelon9 | Changeset attached | => fs2open trunk r10187 |
| 2013-12-03 12:18 | Echelon9 | Note Added: 0015497 | |
| 2013-12-03 12:18 | Echelon9 | Status | assigned => resolved |
| 2013-12-03 12:18 | Echelon9 | Resolution | open => fixed |
