All Projects FSSCP  wxFRED

View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002969FSSCPmultiplayerpublic2013-12-03 10:372013-12-03 10:49
ReporterEchelon9 Assigned ToEchelon9  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.7.1 
Target Version3.7.2 
Summary0002969: AddressSanitizer: global-buffer-overflow in ai_do_objects_repairing_stuff()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r10185.

ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103e04ee8 at pc 0x10035e612 bp 0x7fff5fbfba50 sp 0x7fff5fbfba48
READ of size 4 at 0x000103e04ee8 thread T0
==14216==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x10035e611 in ai_do_objects_repairing_stuff aicode.cpp:10158
    0000001 0x1017ecaeb in process_repair_info_packet multimsgs.cpp:4900
    0000002 0x1015d7615 in process_packet_normal multi.cpp:686
    0000003 0x1015dae2c in multi_process_bigdata multi.cpp:977
    0000004 0x1015dd1e0 in multi_process_incoming multi.cpp:1093
    0000005 0x1015dd5b5 in multi_do_frame multi.cpp:1149
    0000006 0x10013f5ef in game_do_networking freespace.cpp:1097
    0000007 0x1001793dd in game_do_state_common freespace.cpp:6425
    0000008 0x100184809 in game_do_state freespace.cpp:6440
    0000009 0x1007bea02 in gameseq_process_events gamesequence.cpp:409
    0000010 0x10018b458 in game_main freespace.cpp:7062
    ...

// function to clean up ai flags, variables, and other interesting information
// for a ship that was getting repaired. The how parameter is useful for multiplayer
// only in that it tells us why the repaired ship is being cleaned up.
void ai_do_objects_repairing_stuff( object *repaired_objp, object *repair_objp, int how )
{
    ...

    int p_index;
    int p_team;

    p_index = -1;
    p_team = -1;

    // repaired_objp should not be null, but repair_objp will be null when a support ship is just warping in
    Assert(repaired_objp != NULL);

    Assert( repaired_objp->type == OBJ_SHIP);
    ...

    if(Game_mode & GM_MULTIPLAYER){
        p_index = multi_find_player_by_object(repaired_objp);
        p_team = Net_players[p_index].p_info.team; <=== HERE
    } else {
        ...
    }


Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, and play through a multiplayer game with support craft.
Additional InformationERROR: AddressSanitizer: global-buffer-overflow on address 0x000103e04ee8 at pc 0x10035e612 bp 0x7fff5fbfba50 sp 0x7fff5fbfba48
READ of size 4 at 0x000103e04ee8 thread T0
==14216==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x10035e611 in ai_do_objects_repairing_stuff aicode.cpp:10158
    0000001 0x1017ecaeb in process_repair_info_packet multimsgs.cpp:4900
    0000002 0x1015d7615 in process_packet_normal multi.cpp:686
    0000003 0x1015dae2c in multi_process_bigdata multi.cpp:977
    0000004 0x1015dd1e0 in multi_process_incoming multi.cpp:1093
    0000005 0x1015dd5b5 in multi_do_frame multi.cpp:1149
    0000006 0x10013f5ef in game_do_networking freespace.cpp:1097
    0000007 0x1001793dd in game_do_state_common freespace.cpp:6425
    0000008 0x100184809 in game_do_state freespace.cpp:6440
    0000009 0x1007bea02 in gameseq_process_events gamesequence.cpp:409
    0000010 0x10018b458 in game_main freespace.cpp:7062
    #11 0x10018cbc6 in SDL_main freespace.cpp:7196
    0000012 0x1000034c1 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000013 0x7fff8df88fcb in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000014 0x7fff8de7cc5c in _CFXNotificationPost (in CoreFoundation) + 2892
    0000015 0x7fff85e6d4a9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000016 0x7fff8ae42b78 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000017 0x7fff8ae428ab in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000018 0x7fff8ae3f795 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000019 0x7fff8ae3f1ea in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000020 0x7fff85e8bea9 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000021 0x7fff85e8bd1c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000022 0x7fff8d19fe1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000023 0x7fff8d19fc31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000024 0x7fff8d19fb35 in aeProcessAppleEvent (in AE) + 314
    0000025 0x7fff8aa4f5f0 in AEProcessAppleEvent (in HIToolbox) + 55
    0000026 0x7fff8ae3b0f5 in _DPSNextEvent (in AppKit) + 1025
    0000027 0x7fff8ae3a8da in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000028 0x7fff8ae2e9cb in -[NSApplication run] (in AppKit) + 552
    0000029 0x1000055b1 in CustomApplicationMain SDLMain.m:227
    0000030 0x10000508a in main SDLMain.m:377
    0000031 0x100002053 in start (in FS2_Open (debug)) + 51
    0000032 0x0 in 0x0

0x000103e04ee8 is located 24 bytes to the left of global variable 'dc_neb2_fog_color' from 'fs2open/trunk/fs2_open/code/nebula/neb.cpp' (0x103e04f00) of size 24
0x000103e04ee8 is located 16 bytes to the right of global variable 'dc_neb2_background' from 'fs2open/trunk/fs2_open/code/nebula/neb.cpp' (0x103e04ec0) of size 24
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x1000207c0980: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000207c0990: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000207c09a0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000207c09b0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000207c09c0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
=>0x1000207c09d0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9[f9]f9 f9
  0x1000207c09e0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x1000207c09f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207c0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207c0a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000207c0a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==14216==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-12-03 10:49

developer   ~0015491

Fix committed to trunk@10186.

Related Changesets

fs2open: trunk r10186

2013-12-03 06:19

Echelon9


Ported: N/A

Details Diff		 Fix Mantis 2969: AddressSanitizer: global-buffer-overflow in ai_do_objects_repairing_stuff() Affected Issues
0002969
mod - /trunk/fs2_open/code/ai/aicode.cpp Diff File

Issue History

Date Modified Username Field Change
2013-12-03 10:37 Echelon9 New Issue
2013-12-03 10:37 Echelon9 Status new => assigned
2013-12-03 10:37 Echelon9 Assigned To => Echelon9
2013-12-03 10:40 Echelon9 Category AI => multiplayer
2013-12-03 10:40 Echelon9 Steps to Reproduce Updated
2013-12-03 10:49 Echelon9 Changeset attached => fs2open trunk r10186
2013-12-03 10:49 Echelon9 Note Added: 0015491
2013-12-03 10:49 Echelon9 Status assigned => resolved
2013-12-03 10:49 Echelon9 Resolution open => fixed