View Issue Details

IDProjectCategoryView StatusLast Update
0002976FSSCPAIpublic2014-04-25 12:47
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeveritymajorReproducibilitysometimes
Status resolvedResolutionfixed 
Product Version3.7.0 
Target Version3.7.1Fixed in Version3.7.2 
Summary0002976: AddressSanitizer: global-buffer-overflow in firing_aspect_seeking_bomb()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10205.

AddressSanitizer: global-buffer-overflow on address 0x000104cc0688 at pc 0x1004b2b57 bp 0x7fff5fbf7730 sp 0x7fff5fbf7728
READ of size 4 at 0x000104cc0688 thread T0
==31697==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x1004b2b56 in firing_aspect_seeking_bomb aicode.cpp:14775
    0000001 0x1004b9816 in ai_ship_hit aicode.cpp:15013
    0000002 0x102006a1d in ship_apply_local_damage shiphit.cpp:2388
    0000003 0x101b14cbe in ship_weapon_do_hit_stuff collideshipweapon.cpp:94
    0000004 0x101b1c59c in ship_weapon_check_collision collideshipweapon.cpp:403
    0000005 0x101b1e738 in collide_ship_weapon collideshipweapon.cpp:479
    0000006 0x101aeb8ff in obj_collide_pair objcollide.cpp:1645
    0000007 0x101ae37c6 in obj_find_overlap_colliders objcollide.cpp:1265
    0000008 0x101adfc8a in obj_sort_and_collide objcollide.cpp:1230
    0000009 0x101abcfb0 in obj_move_all object.cpp:1502
    0000010 0x10016daba in game_simulation_frame freespace.cpp:4007
    #11 0x100172ba1 in game_frame freespace.cpp:4400
    0000012 0x10017859b in game_do_frame freespace.cpp:4815
    0000013 0x1001841d0 in game_do_state freespace.cpp:6495
    0000014 0x1007be222 in gameseq_process_events gamesequence.cpp:409
    0000015 0x10018ac08 in game_main freespace.cpp:7062
    ....


// Return true if *objp has armed an aspect seeking bomb.
// This function written so a ship with an important bomb to fire will willingly take hits in the face to fire its bomb.
int firing_aspect_seeking_bomb(object *objp)
{
    ship *shipp;
    int bank_index;
    ship_weapon *swp;

    shipp = &Ships[objp->instance];

    swp = &shipp->weapons;

    bank_index = swp->current_secondary_bank;

    if (bank_index != -1)
        if (swp->secondary_bank_ammo[bank_index] > 0) {
            if (Weapon_info[swp->secondary_bank_weapons[bank_index]].wi_flags & WIF_BOMB) { <==== HERE
                if (Weapon_info[swp->secondary_bank_weapons[bank_index]].wi_flags & WIF_HOMING_ASPECT) {
                    return 1;
                }
            }
        }

    return 0;
}
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with Diaspora. Play through Flight, and soon after you leave the launch tube it should trigger -- not directly player controlled though.
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x000104cc0688 at pc 0x1004b2b57 bp 0x7fff5fbf7730 sp 0x7fff5fbf7728
READ of size 4 at 0x000104cc0688 thread T0
==31697==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x1004b2b56 in firing_aspect_seeking_bomb aicode.cpp:14775
    0000001 0x1004b9816 in ai_ship_hit aicode.cpp:15013
    0000002 0x102006a1d in ship_apply_local_damage shiphit.cpp:2388
    0000003 0x101b14cbe in ship_weapon_do_hit_stuff collideshipweapon.cpp:94
    0000004 0x101b1c59c in ship_weapon_check_collision collideshipweapon.cpp:403
    0000005 0x101b1e738 in collide_ship_weapon collideshipweapon.cpp:479
    0000006 0x101aeb8ff in obj_collide_pair objcollide.cpp:1645
    0000007 0x101ae37c6 in obj_find_overlap_colliders objcollide.cpp:1265
    0000008 0x101adfc8a in obj_sort_and_collide objcollide.cpp:1230
    0000009 0x101abcfb0 in obj_move_all object.cpp:1502
    0000010 0x10016daba in game_simulation_frame freespace.cpp:4007
    #11 0x100172ba1 in game_frame freespace.cpp:4400
    0000012 0x10017859b in game_do_frame freespace.cpp:4815
    0000013 0x1001841d0 in game_do_state freespace.cpp:6495
    0000014 0x1007be222 in gameseq_process_events gamesequence.cpp:409
    0000015 0x10018ac08 in game_main freespace.cpp:7062
    0000016 0x10018c376 in SDL_main freespace.cpp:7196
    0000017 0x100002c71 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000018 0x7fff8df88fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000019 0x7fff8de7cc5c in _CFXNotificationPost (in CoreFoundation) + 2892
    0000020 0x7fff85e6d4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000021 0x7fff8ae42b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000022 0x7fff8ae428ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000023 0x7fff8ae3f795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000024 0x7fff8ae3f1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000025 0x7fff85e8bea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000026 0x7fff85e8bd1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000027 0x7fff8d19fe1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000028 0x7fff8d19fc31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000029 0x7fff8d19fb35 in aeProcessAppleEvent (in AE) + 314
    0000030 0x7fff8aa4f5f0 in AEProcessAppleEvent (in HIToolbox) + 55
    0000031 0x7fff8ae3b0f5 in _DPSNextEvent (in AppKit) + 1025
    0000032 0x7fff8ae3a8da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000033 0x7fff8ae2e9cb in -[NSApplication run] (in AppKit) + 552
    0000034 0x100004d61 in CustomApplicationMain SDLMain.m:227
    0000035 0x10000483a in main SDLMain.m:377
    0000036 0x100001803 in start (in FS2_Open (debug)) + 51
    0000037 0x0 in 0x0

0x000104cc0688 is located 259144 bytes to the right of global variable 'Weapons' from 'fs2_open/code/weapon/weapons.cpp' (0x104b39040) of size 1344000
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x100020998080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020998090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209980a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209980b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209980c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x1000209980d0: f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209980e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x1000209980f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020998100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020998110: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020998120: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==31697==ABORTING
TagsNo tags attached.

Activities

Echelon9

2014-04-25 12:47

developer   ~0015710

Resolved in r10596.

Related Changesets

fs2open: trunk r10596

2014-04-25 07:56

Echelon9


Ported: N/A

Details Diff
Fix Mantis Issue 0002976: AddressSanitizer: global-buffer-overflow in firing_aspect_seeking_bomb() Affected Issues
0002976
mod - /trunk/fs2_open/code/ai/aicode.cpp Diff File

Issue History

Date Modified Username Field Change
2013-12-07 06:21 Echelon9 New Issue
2013-12-29 13:05 Echelon9 Assigned To => Echelon9
2013-12-29 13:05 Echelon9 Status new => assigned
2014-04-25 12:47 Echelon9 Changeset attached => fs2open trunk r10596
2014-04-25 12:47 Echelon9 Note Added: 0015710
2014-04-25 12:47 Echelon9 Status assigned => resolved
2014-04-25 12:47 Echelon9 Fixed in Version => 3.7.2
2014-04-25 12:47 Echelon9 Resolution open => fixed