All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002835FSSCPpublic2013-04-04 04:402013-12-02 00:58
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.6.19 
Target Version3.7.0Fixed in Version3.6.19 
Summary0002835: AddressSanitizer: global-buffer-overflow in ConditionedHook::ConditionsValid() scripting.cpp:338
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9617 and BP.patch (with WiH2).

ERROR: AddressSanitizer: global-buffer-overflow on address 0x000105028c98 at pc 0x105b11da3 bp 0x7fff5fbfb8b0 sp 0x7fff5fbfb880
READ of size 1 at 0x000105028c98 thread T0
    #0 0x105b11da2 in wrap_strcasecmp (in libclang_rt.asan_osx_dynamic.dylib) + 306
    0000001 0x10281eee1 in ConditionedHook::ConditionsValid scripting.cpp:338
    0000002 0x10282a9b8 in script_state::RunCondition scripting.cpp:868
    0000003 0x101a79f4d in obj_move_all object.cpp:1469
    0000004 0x1002ef68d in game_simulation_frame freespace.cpp:4113
    0000005 0x1002f42e1 in game_frame freespace.cpp:4506
    0000006 0x1002f9acb in game_do_frame freespace.cpp:4917
    0000007 0x10030562a in game_do_state freespace.cpp:6592
    0000008 0x100904f59 in gameseq_process_events gamesequence.cpp:405
    0000009 0x10030bea8 in game_main freespace.cpp:7159
    0000010 0x10030d516 in SDL_main freespace.cpp:7293
    ...

                            case CHA_ONWPEQUIPPED: {
                                bool equipped = false;
                                for(int j = 0; j < MAX_SHIP_PRIMARY_BANKS; j++) {
                                    if (!equipped) {
                                        if ( !stricmp(Weapon_info[shipp->weapons.primary_bank_weapons[j]].name, scp->data.name) ) { <=======
                                            equipped = true;
                                            break;
                                        }
                                    }
                                }
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with Blue Planet WiH2, and go into the Dreamscape via the Techroom
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x000105028c98 at pc 0x105b11da3 bp 0x7fff5fbfb8b0 sp 0x7fff5fbfb880
READ of size 1 at 0x000105028c98 thread T0
    #0 0x105b11da2 in wrap_strcasecmp (in libclang_rt.asan_osx_dynamic.dylib) + 306
    0000001 0x10281eee1 in ConditionedHook::ConditionsValid scripting.cpp:338
    0000002 0x10282a9b8 in script_state::RunCondition scripting.cpp:868
    0000003 0x101a79f4d in obj_move_all object.cpp:1469
    0000004 0x1002ef68d in game_simulation_frame freespace.cpp:4113
    0000005 0x1002f42e1 in game_frame freespace.cpp:4506
    0000006 0x1002f9acb in game_do_frame freespace.cpp:4917
    0000007 0x10030562a in game_do_state freespace.cpp:6592
    0000008 0x100904f59 in gameseq_process_events gamesequence.cpp:405
    0000009 0x10030bea8 in game_main freespace.cpp:7159
    0000010 0x10030d516 in SDL_main freespace.cpp:7293
    #11 0x1000032fa in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000012 0x7fff9502aed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000013 0x7fff8b00de25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000014 0x7fff9096f55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000015 0x7fff9096f295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000016 0x7fff9096c481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000017 0x7fff9096c07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000018 0x7fff8b02770a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000019 0x7fff8b02756c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000020 0x7fff933f0077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000021 0x7fff933efed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000022 0x7fff933efd98 in aeProcessAppleEvent (in AE) + 317
    0000023 0x7fff8db58708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000024 0x7fff90968865 in _DPSNextEvent (in AppKit) + 1455
    0000025 0x7fff90967e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000026 0x7fff9095f1d2 in -[NSApplication run] (in AppKit) + 516
    0000027 0x100005413 in CustomApplicationMain SDLMain.m:227
    0000028 0x100004e90 in main SDLMain.m:377
    0000029 0x100002063 in start (in FS2_Open (debug)) + 51
    0000030 0x0 in 0x0
0x000105028c98 is located 258040 bytes to the right of global variable 'Weapons' from 'fs2open/trunk/fs2_open/projects/Xcode4/../../code/weapon/weapons.cpp' (0x104ea1aa0) of size 1344000
Shadow bytes around the buggy address:
  0x100020a05140: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a05150: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a05160: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a05170: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a05180: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x100020a05190: f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a051a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a051b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a051c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a051d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020a051e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  ASan internal: fe
==2160==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-04-04 05:28

developer   ~0014883

Fix committed to trunk@9620.

niffiwan

2013-12-02 00:58

developer   ~0015485

Crediting Echelon9

Related Changesets

fs2open: trunk r9620

2013-04-04 02:16

Echelon9


Ported: N/A

Details Diff		 Fix for Mantis 2835: AddressSanitizer: global-buffer-overflow in ConditionedHook::ConditionsValid() scripting.cpp:338 Affected Issues
0002835
mod - /trunk/fs2_open/code/parse/scripting.cpp Diff File

Issue History

Date Modified Username Field Change
2013-04-04 04:40 Echelon9 New Issue
2013-04-04 05:28 Echelon9 Changeset attached => fs2open trunk r9620
2013-04-04 05:28 Echelon9 Note Added: 0014883
2013-04-04 05:28 Echelon9 Status new => resolved
2013-04-04 05:28 Echelon9 Resolution open => fixed
2013-12-02 00:58 niffiwan Assigned To => Echelon9
2013-12-02 00:58 niffiwan Note Added: 0015485
2013-12-02 00:58 niffiwan Status resolved => feedback
2013-12-02 00:58 niffiwan Resolution fixed => reopened
2013-12-02 00:58 niffiwan Status feedback => resolved
2013-12-02 00:58 niffiwan Fixed in Version => 3.6.19
2013-12-02 00:58 niffiwan Resolution reopened => fixed