View Issue Details

IDProjectCategoryView StatusLast Update
0002987FSSCPpublic2014-09-25 02:54
ReporterEchelon9 Assigned ToGoober5000  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.7.0 
Target Version3.7.2Fixed in Version3.7.2 
Summary0002987: AddressSanitizer: global-buffer-overflow in message_queue_process()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10255.

AddressSanitizer: global-buffer-overflow on address 0x000103dacc60 at pc 0x101200746 bp 0x7fff5fbfc0b0 sp 0x7fff5fbfc0a8
READ of size 4 at 0x000103dacc60 thread T0
==6906==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x101200745 in message_queue_process missionmessage.cpp:1352
    0000001 0x10016e38e in game_simulation_frame freespace.cpp:4033
    0000002 0x100173111 in game_frame freespace.cpp:4400
    0000003 0x100178b0b in game_do_frame freespace.cpp:4815
    0000004 0x100184740 in game_do_state freespace.cpp:6495
    0000005 0x1007ceae2 in gameseq_process_events gamesequence.cpp:409
    0000006 0x10018b178 in game_main freespace.cpp:7062
    0000007 0x10018c8e6 in SDL_main freespace.cpp:7196
    ...

Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps. Play the next mission for the player rodo for the main fs2 campaign, as per Mantis 2980.
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x000103dacc60 at pc 0x101200746 bp 0x7fff5fbfc0b0 sp 0x7fff5fbfc0a8
READ of size 4 at 0x000103dacc60 thread T0
==6906==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x101200745 in message_queue_process missionmessage.cpp:1352
    0000001 0x10016e38e in game_simulation_frame freespace.cpp:4033
    0000002 0x100173111 in game_frame freespace.cpp:4400
    0000003 0x100178b0b in game_do_frame freespace.cpp:4815
    0000004 0x100184740 in game_do_state freespace.cpp:6495
    0000005 0x1007ceae2 in gameseq_process_events gamesequence.cpp:409
    0000006 0x10018b178 in game_main freespace.cpp:7062
    0000007 0x10018c8e6 in SDL_main freespace.cpp:7196
    0000008 0x1000031e1 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000009 0x7fff88f81fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000010 0x7fff88e75c5c in _CFXNotificationPost (in CoreFoundation) + 2892
    #11 0x7fff947b84a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000012 0x7fff8f1aab78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000013 0x7fff8f1aa8ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000014 0x7fff8f1a7795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000015 0x7fff8f1a71ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000016 0x7fff947d6ea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000017 0x7fff947d6d1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000018 0x7fff89b34e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000019 0x7fff89b34c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000020 0x7fff89b34b35 in aeProcessAppleEvent (in AE) + 314
    0000021 0x7fff94b355f0 in AEProcessAppleEvent (in HIToolbox) + 55
    0000022 0x7fff8f1a30f5 in _DPSNextEvent (in AppKit) + 1025
    0000023 0x7fff8f1a28da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000024 0x7fff8f1969cb in -[NSApplication run] (in AppKit) + 552
    0000025 0x1000052d1 in CustomApplicationMain SDLMain.m:227
    0000026 0x100004daa in main SDLMain.m:377
    0000027 0x100001d73 in start (in FS2_Open (debug)) + 51
    0000028 0x0 in 0x0

0x000103dacc60 is located 32 bytes to the left of global variable 'Message_shipnum' from 'fs2_open/code/mission/missionmessage.cpp' (0x103dacc80) of size 4
0x000103dacc60 is located 16 bytes to the right of global variable 'Playing_messages' from 'fs2_open/code/mission/missionmessage.cpp' (0x103dacc00) of size 80
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x1000207b5930: 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x1000207b5940: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x1000207b5950: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x1000207b5960: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000207b5970: 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
=>0x1000207b5980: 00 00 00 00 00 00 00 00 00 00 f9 f9[f9]f9 f9 f9
  0x1000207b5990: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x1000207b59a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207b59b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207b59c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207b59d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==6906==ABORTING
TagsNo tags attached.

Relationships

related to 0002980 closedEchelon9 FSO crash after mission - possibly pilot code related 

Activities

Goober5000

2014-06-30 03:06

administrator   ~0015945

bump, and update the targeted version

Goober5000

2014-09-25 02:54

administrator   ~0016301

This is a simple case of a bad array index added in revision 8418.

Goober5000

2014-09-25 02:54

administrator   ~0016302

Fix committed to trunk@11084.

Related Changesets

fs2open: trunk r11084

2014-09-24 23:30

Goober5000


Ported: N/A

Details Diff
fix Mantis 0002987 (AddressSanitizer: global-buffer-overflow in message_queue_process()) Affected Issues
0002987
mod - /trunk/fs2_open/code/mission/missionmessage.cpp Diff File

Issue History

Date Modified Username Field Change
2013-12-29 12:59 Echelon9 New Issue
2013-12-29 12:59 Echelon9 Status new => assigned
2013-12-29 12:59 Echelon9 Assigned To => Echelon9
2013-12-29 12:59 Echelon9 Relationship added related to 0002980
2014-06-30 03:06 Goober5000 Note Added: 0015945
2014-06-30 03:06 Goober5000 Target Version 3.7.1 => 3.7.2
2014-09-25 02:54 Goober5000 Note Added: 0016301
2014-09-25 02:54 Goober5000 Assigned To Echelon9 => Goober5000
2014-09-25 02:54 Goober5000 Changeset attached => fs2open trunk r11084
2014-09-25 02:54 Goober5000 Note Added: 0016302
2014-09-25 02:54 Goober5000 Status assigned => resolved
2014-09-25 02:54 Goober5000 Resolution open => fixed
2014-09-25 02:54 Goober5000 Fixed in Version => 3.7.2