URL:
<http://gna.org/bugs/?25075>
Summary: heap use after free when window resolution is
changed during launch
Project: Battle for Wesnoth
Submitted by: matthiaskrgr
Submitted on: Mon 19 Sep 2016 11:42:51 AM UTC
Category: Bug
Severity: 4 - Important
Priority: 5 - Normal
Item Group: User Interface
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: git
Operating System: linux/fedora
_______________________________________________________
Details:
I compiled the game with asan/ubsan.
When I change the window resolution while the main menu hasn't shown yet, the
game crashes under asan:
````
Battle for Wesnoth v1.13.5+dev (21f01b0-Clean)
Started on Mon Sep 19 13:40:46 2016
Automatically found a possible data directory at
/home/matthias/vcs/github/wesnoth/build/..
Data directory: /home/matthias/vcs/github/wesnoth/build/..
User configuration directory: /home/matthias/.config/wesnoth
User data directory: /home/matthias/.local/share/wesnoth/1.13
Cache directory: /home/matthias/.cache/wesnoth
Setting mode to 800x600
=================================================================
==28153==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00050c918 at pc 0x0000059a9bc8 bp 0x7f4f90171a40 sp 0x7f4f90171a30
READ of size 8 at 0x60c00050c918 thread T4
#0 0x59a9bc7 in std::_Rb_tree<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >,
std::pair<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const, std::vector<config*, std::allocator<config*> >
>, std::_Select1st<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::less<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > >,
std::allocator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > > >::size() const
/usr/include/c++/6.1.1/bits/stl_tree.h:916
#1 0x59a9bc7 in std::_Rb_tree<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >,
std::pair<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const, std::vector<config*, std::allocator<config*> >
>, std::_Select1st<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::less<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > >,
std::allocator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >
>::_M_get_insert_hint_unique_pos(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/usr/include/c++/6.1.1/bits/stl_tree.h:1908
#2 0x59aa3d6 in
std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > > std::_Rb_tree<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >,
std::pair<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const, std::vector<config*, std::allocator<config*> >
>, std::_Select1st<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::less<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > >,
std::allocator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >
>::_M_emplace_hint_unique<std::piecewise_construct_t const&,
std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&>, std::tuple<>
>(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::piecewise_construct_t const&,
std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&>&&, std::tuple<>&&)
/usr/include/c++/6.1.1/bits/stl_tree.h:2170
#3 0x59abdd5 in std::map<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >, std::vector<config*,
std::allocator<config*> >, std::less<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > >,
std::allocator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > > >::operator[](std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/usr/include/c++/6.1.1/bits/stl_map.h:483
#4 0x5947166 in config::add_child(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/home/matthias/vcs/github/wesnoth/src/config.cpp:748
#5 0x5b3678b in parse_element
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:164
#6 0x5b3678b in operator()
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:113
#7 0x5b40e70 in void
read_compressed<boost::iostreams::basic_gzip_decompressor<std::allocator<char>
> >(config&, std::istream&, abstract_validator*)
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:450
#8 0x2a9bb74 in
game_config::config_cache::read_file(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:122
#9 0x2a9bb74 in
game_config::config_cache::read_cache(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:205
#10 0x2aa30b6 in
game_config::config_cache::load_configs(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:285
#11 0x3487a52 in
game_config_manager::load_game_config(game_config_manager::FORCE_RELOAD_CONFIG,
game_classification const*)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:254
#12 0x3b851d9 in std::function<void ()>::operator()() const
/usr/include/c++/6.1.1/functional:2136
#13 0x3b851d9 in gui2::tloadscreen::display(CVideo&, std::function<void
()>) /home/matthias/vcs/github/wesnoth/src/gui/dialogs/loadscreen.cpp:212
#14 0x3463f0b in
game_config_manager::load_game_config_with_loadscreen(game_config_manager::FORCE_RELOAD_CONFIG,
game_classification const*)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:137
#15 0x3465564 in
game_config_manager::init_game_config(game_config_manager::FORCE_RELOAD_CONFIG)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:89
#16 0x8590a7 in operator()
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:640
#17 0x8590a7 in _M_invoke /usr/include/c++/6.1.1/functional:1740
#18 0x3b746b9 in std::function<void ()>::operator()() const
/usr/include/c++/6.1.1/functional:2136
#19 0x3b746b9 in operator()
/home/matthias/vcs/github/wesnoth/src/gui/dialogs/loadscreen.cpp:119
#20 0x3b746b9 in run /usr/include/boost/thread/detail/thread.hpp:116
#21 0x7f4fc0502295 (/lib64/libboost_thread.so.1.60.0+0x13295)
#22 0x7f4fc17c05c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
#23 0x7f4fbbdedf6c in __clone (/lib64/libc.so.6+0x102f6c)
0x60c00050c918 is located 88 bytes inside of 120-byte region
[0x60c00050c8c0,0x60c00050c938)
freed by thread T0 here:
#0 0x7f4fc1da74e0 in operator delete(void*) (/lib64/libasan.so.3+0xc84e0)
#1 0x5939a86 in config::clear()
/home/matthias/vcs/github/wesnoth/src/config.cpp:1098
#2 0x5938e1d in config::~config()
/home/matthias/vcs/github/wesnoth/src/config.cpp:471
#3 0x3468871 in game_config_manager::~game_config_manager()
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:68
#4 0x7e374a in do_gameloop
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:636
#5 0x7e374a in main
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:1042
#6 0x7f4fbbd0b730 in __libc_start_main (/lib64/libc.so.6+0x20730)
previously allocated by thread T4 here:
#0 0x7f4fc1da6e60 in operator new(unsigned long)
(/lib64/libasan.so.3+0xc7e60)
#1 0x5947184 in config::add_child(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/home/matthias/vcs/github/wesnoth/src/config.cpp:749
#2 0x5b3678b in parse_element
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:164
#3 0x5b3678b in operator()
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:113
#4 0x5b40e70 in void
read_compressed<boost::iostreams::basic_gzip_decompressor<std::allocator<char>
> >(config&, std::istream&, abstract_validator*)
/home/matthias/vcs/github/wesnoth/src/serialization/parser.cpp:450
#5 0x2a9bb74 in
game_config::config_cache::read_file(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:122
#6 0x2a9bb74 in
game_config::config_cache::read_cache(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:205
#7 0x2aa30b6 in
game_config::config_cache::load_configs(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&, config&)
/home/matthias/vcs/github/wesnoth/src/config_cache.cpp:285
#8 0x3487a52 in
game_config_manager::load_game_config(game_config_manager::FORCE_RELOAD_CONFIG,
game_classification const*)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:254
#9 0x3b851d9 in std::function<void ()>::operator()() const
/usr/include/c++/6.1.1/functional:2136
#10 0x3b851d9 in gui2::tloadscreen::display(CVideo&, std::function<void
()>) /home/matthias/vcs/github/wesnoth/src/gui/dialogs/loadscreen.cpp:212
#11 0x3463f0b in
game_config_manager::load_game_config_with_loadscreen(game_config_manager::FORCE_RELOAD_CONFIG,
game_classification const*)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:137
#12 0x3465564 in
game_config_manager::init_game_config(game_config_manager::FORCE_RELOAD_CONFIG)
/home/matthias/vcs/github/wesnoth/src/game_config_manager.cpp:89
#13 0x8590a7 in operator()
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:640
#14 0x8590a7 in _M_invoke /usr/include/c++/6.1.1/functional:1740
#15 0x3b746b9 in std::function<void ()>::operator()() const
/usr/include/c++/6.1.1/functional:2136
#16 0x3b746b9 in operator()
/home/matthias/vcs/github/wesnoth/src/gui/dialogs/loadscreen.cpp:119
#17 0x3b746b9 in run /usr/include/boost/thread/detail/thread.hpp:116
#18 0x7f4fc0502295 (/lib64/libboost_thread.so.1.60.0+0x13295)
Thread T4 created by T0 here:
#0 0x7f4fc1d10458 in pthread_create (/lib64/libasan.so.3+0x31458)
#1 0x7f4fc0500b68 in boost::thread::start_thread_noexcept()
(/lib64/libboost_thread.so.1.60.0+0x11b68)
#2 0x3925fa8 in gui2::tdialog::show(CVideo&, unsigned int)
/home/matthias/vcs/github/wesnoth/src/gui/dialogs/dialog.cpp:64
#3 0x3b853e3 in gui2::tloadscreen::display(CVideo&, std::function<void
()>) /home/matthias/vcs/github/wesnoth/src/gui/dialogs/loadscreen.cpp:208
#4 0x7e2089 in do_gameloop
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:656
#5 0x7e2089 in main
/home/matthias/vcs/github/wesnoth/src/wesnoth.cpp:1042
#6 0x7f4fbbd0b730 in __libc_start_main (/lib64/libc.so.6+0x20730)
SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/6.1.1/bits/stl_tree.h:916 in
std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >, std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > >,
std::_Select1st<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > >, std::less<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > >,
std::allocator<std::pair<std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const, std::vector<config*,
std::allocator<config*> > > > >::size() const
Shadow bytes around the buggy address:
0x0c18800998d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c18800998e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c18800998f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880099900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880099910: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1880099920: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880099930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1880099940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880099950: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880099960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1880099970: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28153==ABORTING
````
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?25075>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Wesnoth-bugs mailing list
[email protected]
https://mail.gna.org/listinfo/wesnoth-bugs
