All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002825FSSCPpublic2013-03-27 12:152013-04-14 01:06
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.6.19 
Target Version3.7.0 
Summary0002825: AddressSanitizer: global-buffer-overflow in turret_weapon_has_flags() aiturret.cpp:316
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9607.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049afbf0 at pc 0x100412cff bp 0x7fff5fbfa370 sp 0x7fff5fbfa368
READ of size 4 at 0x0001049afbf0 thread T0
    #0 0x100412cfe in turret_weapon_has_flags aiturret.cpp:316
    0000001 0x100a7f462 in hud_target_live_turret hudtarget.cpp:1791
    0000002 0x100a7d228 in hud_maybe_set_sorted_turret_subsys hudtarget.cpp:505
    0000003 0x100aa55a2 in hud_target_in_reticle_old hudtarget.cpp:2636
    0000004 0x100aa45d5 in hud_target_in_reticle_new hudtarget.cpp:2569
    0000005 0x100e12c57 in button_function keycontrol.cpp:2499
    0000006 0x100e07c44 in button_info_do keycontrol.cpp:2763
    0000007 0x100e07796 in game_process_keys keycontrol.cpp:1670
    0000008 0x1002ee8b2 in game_frame freespace.cpp:4357
    0000009 0x1002f43eb in game_do_frame freespace.cpp:4791
    0000010 0x1002fff4a in game_do_state freespace.cpp:6466
    #11 0x1008f18a9 in gameseq_process_events gamesequence.cpp:405
    0000012 0x1003067c8 in game_main freespace.cpp:7033
    0000013 0x100307e36 in SDL_main freespace.cpp:7167
    ...


/**
 * Returns true if any of the weapons in swp have flags
 *
 * @note doesn't work for WIF2
 */
bool turret_weapon_has_flags(ship_weapon *swp, int flags)
{
    int i = 0;
    for(i = 0; i < swp->num_primary_banks; i++)
    {
        if(Weapon_info[swp->primary_bank_weapons[i]].wi_flags & flags)
            return true;
    }
    for(i = 0; i < swp->num_secondary_banks; i++)
    {
        if(Weapon_info[swp->secondary_bank_weapons[i]].wi_flags & flags) <===
            return true;
    }

    return false;
}
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, progress through mission 1 "Surrender, Belisarious", target Psamtik with 'Y' key when it jumps in.
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x0001049afbf0 at pc 0x100412cff bp 0x7fff5fbfa370 sp 0x7fff5fbfa368
READ of size 4 at 0x0001049afbf0 thread T0
    #0 0x100412cfe in turret_weapon_has_flags aiturret.cpp:316
    0000001 0x100a7f462 in hud_target_live_turret hudtarget.cpp:1791
    0000002 0x100a7d228 in hud_maybe_set_sorted_turret_subsys hudtarget.cpp:505
    0000003 0x100aa55a2 in hud_target_in_reticle_old hudtarget.cpp:2636
    0000004 0x100aa45d5 in hud_target_in_reticle_new hudtarget.cpp:2569
    0000005 0x100e12c57 in button_function keycontrol.cpp:2499
    0000006 0x100e07c44 in button_info_do keycontrol.cpp:2763
    0000007 0x100e07796 in game_process_keys keycontrol.cpp:1670
    0000008 0x1002ee8b2 in game_frame freespace.cpp:4357
    0000009 0x1002f43eb in game_do_frame freespace.cpp:4791
    0000010 0x1002fff4a in game_do_state freespace.cpp:6466
    #11 0x1008f18a9 in gameseq_process_events gamesequence.cpp:405
    0000012 0x1003067c8 in game_main freespace.cpp:7033
    0000013 0x100307e36 in SDL_main freespace.cpp:7167
    0000014 0x1000027aa in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000015 0x7fff8ffe3ed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000016 0x7fff85fc6e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000017 0x7fff8b92855c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000018 0x7fff8b928295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000019 0x7fff8b925481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000020 0x7fff8b92507b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000021 0x7fff85fe070a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000022 0x7fff85fe056c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000023 0x7fff8e3a9077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000024 0x7fff8e3a8ed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000025 0x7fff8e3a8d98 in aeProcessAppleEvent (in AE) + 317
    0000026 0x7fff88b11708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000027 0x7fff8b921865 in _DPSNextEvent (in AppKit) + 1455
    0000028 0x7fff8b920e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000029 0x7fff8b9181d2 in -[NSApplication run] (in AppKit) + 516
    0000030 0x1000048c3 in CustomApplicationMain SDLMain.m:227
    0000031 0x100004340 in main SDLMain.m:377
    0000032 0x100001513 in start (in FS2_Open (debug)) + 51
    0000033 0x0 in 0x0
0x0001049afbf0 is located 259056 bytes to the right of global variable 'Weapons' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x104828600) of size 1344000
Shadow bytes around the buggy address:
  0x100020935f20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935f30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935f40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935f50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935f60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x100020935f70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9
  0x100020935f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935f90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935fa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935fb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020935fc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==62941==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-04-14 01:05

developer   ~0014921

This is due to the particular turret having a number of the total num_secondary_banks set to -1.

Also present in turret_weapon_has_flags2() and turret_weapon_has_subtype()

Echelon9

2013-04-14 01:06

developer   ~0014922

Fix committed to trunk@9629.

Related Changesets

fs2open: trunk r9629

2013-04-13 21:56

Echelon9


Ported: N/A

Details Diff		 Fix Mantis 2825: AddressSanitizer: global-buffer-overflow in turret_weapon_has_flags() aiturret.cpp:316 Affected Issues
0002825
mod - /trunk/fs2_open/code/ai/aiturret.cpp Diff File

Issue History

Date Modified Username Field Change
2013-03-27 12:15 Echelon9 New Issue
2013-04-13 12:47 Echelon9 Assigned To => Echelon9
2013-04-13 12:47 Echelon9 Status new => assigned
2013-04-14 01:05 Echelon9 Note Added: 0014921
2013-04-14 01:06 Echelon9 Changeset attached => fs2open trunk r9629
2013-04-14 01:06 Echelon9 Note Added: 0014922
2013-04-14 01:06 Echelon9 Status assigned => resolved
2013-04-14 01:06 Echelon9 Resolution open => fixed