#4520: Heap buffer overflow in drawShape()
-------------------------------------+-------------------------
        Reporter:  tnmurphy          |      Owner:
            Type:  bug               |     Status:  new
        Priority:  normal            |  Milestone:  unspecified
       Component:  Engine: Graphics  |    Version:  git/master
Operating System:  All/Non-Specific  |
-------------------------------------+-------------------------
 This crash happened when I was at the start of an 8-player skirmish game,
 single player.
 I am on 64-bit Fedora-22 with an Nvidia card, using the nvidia proprietary
 driver.
 my compiler is gcc version 5.3.1 20160406 (Red Hat 5.3.1-6) (GCC) .

 I'm at changeset
 54673bc49c5cf757e3b8c1354bedfb995d6859a8

 (after the new mesh animation system)

 Regards,

 Tim



 warning |08:40:30: [recvGift:83] Gift (4) from 99, to 2, queue.index 0
 (**Further warnings of this type are suppressed.)
 warning |08:40:30: [recvGift:83] Gift (4) from 99, to 6, queue.index 0
 (**Further warnings of this type are suppressed.)
 =================================================================
 ==9846==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x618000cc9474 at pc 0x000000626903 bp 0x7ffeb4e35a80 sp 0x7ffeb4e35a70
 READ of size 4 at 0x618000cc9474 thread T0
     #0 0x626902 in drawShape(BASE_OBJECT*, iIMDShape*, int, PIELIGHT, int,
 int) /home/tmurphy/build/warzone2100/src/display3d.cpp:341
     #1 0x63498c in renderStructure(STRUCTURE*)
 /home/tmurphy/build/warzone2100/src/display3d.cpp:2250
     #2 0x62d18a in displayStaticObjects
 /home/tmurphy/build/warzone2100/src/display3d.cpp:1403
     #3 0x62b4d8 in drawTiles
 /home/tmurphy/build/warzone2100/src/display3d.cpp:1063
     #4 0x6295ca in draw3DScene()
 /home/tmurphy/build/warzone2100/src/display3d.cpp:728
     #5 0x64c9ae in displayWorld()
 /home/tmurphy/build/warzone2100/src/display.cpp:1216
     #6 0x77d7ac in renderLoop
 /home/tmurphy/build/warzone2100/src/loop.cpp:320
     #7 0x77ffe2 in gameLoop()
 /home/tmurphy/build/warzone2100/src/loop.cpp:720
     #8 0x783160 in runGameLoop
 /home/tmurphy/build/warzone2100/src/main.cpp:675
     #9 0x7837b4 in mainLoop()
 /home/tmurphy/build/warzone2100/src/main.cpp:781
     #10 0xbb58ba in wzMainEventLoop()
 /home/tmurphy/build/warzone2100/lib/sdl/main_sdl.cpp:1601
     #11 0x784c2b in realmain(int, char**)
 /home/tmurphy/build/warzone2100/src/main.cpp:1101
     #12 0xbad301 in main
 /home/tmurphy/build/warzone2100/lib/sdl/main_sdl.cpp:70
     #13 0x7f65a93d457f in __libc_start_main (/lib64/libc.so.6+0x2057f)
     #14 0x59bd38 in _start
 (/mnt/space/home/tmurphy/build/warzone2100/src/warzone2100+0x59bd38)

 0x618000cc9474 is located 12 bytes to the left of 800-byte region
 [0x618000cc9480,0x618000cc97a0)
 allocated by thread T0 here:
     #0 0x7f65ae25b882 in operator new(unsigned long)
 (/lib64/libasan.so.2+0x99882)
     #1 0xb8b8ea in __gnu_cxx::new_allocator<ANIMFRAME>::allocate(unsigned
 long, void const*) /usr/include/c++/5.3.1/ext/new_allocator.h:104
     #2 0xb8b549 in std::allocator_traits<std::allocator<ANIMFRAME>
 >::allocate(std::allocator<ANIMFRAME>&, unsigned long)
 /usr/include/c++/5.3.1/bits/alloc_traits.h:491
     #3 0xb8b09f in std::_Vector_base<ANIMFRAME, std::allocator<ANIMFRAME>
 >::_M_allocate(unsigned long) /usr/include/c++/5.3.1/bits/stl_vector.h:170
     #4 0xb897ae in std::vector<ANIMFRAME, std::allocator<ANIMFRAME>
 >::_M_default_append(unsigned long)
 /usr/include/c++/5.3.1/bits/vector.tcc:557
     #5 0xb874c8 in std::vector<ANIMFRAME, std::allocator<ANIMFRAME>
 >::resize(unsigned long) /usr/include/c++/5.3.1/bits/stl_vector.h:676
     #6 0xb824f1 in _imd_load_level
 /home/tmurphy/build/warzone2100/lib/ivis_opengl/imdload.cpp:764
     #7 0xb82235 in _imd_load_level
 /home/tmurphy/build/warzone2100/lib/ivis_opengl/imdload.cpp:747
     #8 0xb8528c in iV_ProcessIMD
 /home/tmurphy/build/warzone2100/lib/ivis_opengl/imdload.cpp:1063
     #9 0xb7b940 in tryLoad
 /home/tmurphy/build/warzone2100/lib/ivis_opengl/imdload.cpp:133
     #10 0xb7bebe in modelGet(QString const&)
 /home/tmurphy/build/warzone2100/lib/ivis_opengl/imdload.cpp:164
     #11 0x9d3168 in loadStructureStats(QString)
 /home/tmurphy/build/warzone2100/src/structure.cpp:518
     #12 0x60685e in bufferSSTRUCTLoad
 /home/tmurphy/build/warzone2100/src/data.cpp:337
     #13 0xbc62c9 in resLoadFile(char const*, char const*)
 /home/tmurphy/build/warzone2100/lib/framework/frameresource.cpp:548
     #14 0xbd059b in res_parse()
 /home/tmurphy/build/warzone2100/lib/framework/resource_parser.ypp:119
     #15 0xbc49cf in resLoad(char const*, int)
 /home/tmurphy/build/warzone2100/lib/framework/frameresource.cpp:207
     #16 0x7719a3 in levLoadData(char const*, Sha256 const*, char*,
 GAME_TYPE) /home/tmurphy/build/warzone2100/src/levels.cpp:757
     #17 0x782d55 in startGameLoop
 /home/tmurphy/build/warzone2100/src/main.cpp:566
     #18 0x783550 in runTitleLoop
 /home/tmurphy/build/warzone2100/src/main.cpp:741
     #19 0x7837bb in mainLoop()
 /home/tmurphy/build/warzone2100/src/main.cpp:784
     #20 0xbb58ba in wzMainEventLoop()
 /home/tmurphy/build/warzone2100/lib/sdl/main_sdl.cpp:1601
     #21 0x784c2b in realmain(int, char**)
 /home/tmurphy/build/warzone2100/src/main.cpp:1101
     #22 0xbad301 in main
 /home/tmurphy/build/warzone2100/lib/sdl/main_sdl.cpp:70
     #23 0x7f65a93d457f in __libc_start_main (/lib64/libc.so.6+0x2057f)

 SUMMARY: AddressSanitizer: heap-buffer-overflow
 /home/tmurphy/build/warzone2100/src/display3d.cpp:341
 drawShape(BASE_OBJECT*, iIMDShape*, int, PIELIGHT, int, int)
 Shadow bytes around the buggy address:
   0x0c3080191230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c3080191240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c3080191250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c3080191260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c3080191270: 00 00 00 00 00 00 00 00 00 00 00 07 fa fa fa fa
 =>0x0c3080191280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
   0x0c3080191290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c30801912a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c30801912b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c30801912c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c30801912d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Heap right redzone:      fb
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack partial redzone:   f4
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
 ==9846==ABORTING

--
Ticket URL: <http://developer.wz2100.net/ticket/4520>
Warzone 2100 Trac <http://developer.wz2100.net/>
The Warzone 2100 Project
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Warzone2100-project mailing list
Warzone2100-project@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/warzone2100-project

Reply via email to