Issue707

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title asan crash if GetItemIndexByName fails?
Priority important Status resolved
Assigned To salimiles Keywords
Linked issues Watchers Xenux, salimiles

Submitted on 2013-10-03 22h52 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2013-10-03   22h52 
I was checking for an item or giving an item which does not exist via dialog
when the game crashed:

=================================================================
==588== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60a400028678
at pc 0x424ba2 bp 0x7fff402ddc10 sp 0x7fff402ddc08
READ of size 4 at 0x60a400028678 thread T0
    #0 0x424ba1 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x424ba1)
    #1 0x426502 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x426502)
    #2 0x446361 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x446361)
    #3 0x552dc9 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x552dc9)
    #4 0x55ce03 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x55ce03)
    #5 0x552f0f (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x552f0f)
    #6 0x552758 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x552758)
    #7 0x553111 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x553111)
    #8 0x449a5a (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x449a5a)
    #9 0x4d50de (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4d50de)
    #10 0x484e97 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x484e97)
    #11 0x48689e (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x48689e)
    #12 0x4b00be (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4b00be)
    #13 0x417769 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x417769)
    #14 0x7f8bb54cbbc4 (/usr/lib/libc-2.18.so+0x21bc4)
    #15 0x417f1c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x417f1c)
0x60a400028678 is located 392 bytes to the left of 78321-byte region
[0x60a400028800,0x60a40003b9f1)
allocated by thread T0 here:
    #0 0x7f8bb6d51625 (/usr/lib/libasan.so.0.0.0+0x15625)
    #1 0x495115 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x495115)
    #2 0x451b20 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x451b20)
    #3 0x552dc9 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x552dc9)
Shadow bytes around the buggy address:
  0x0c14ffffd070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c14ffffd0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c14ffffd0d0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffd100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c14ffffd110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==588== ABORTING


 addr2line -e ./src/freedroidRPG 0x424ba1 0x426502 0x446361 0x552dc9 0x55ce03
0x552f0f 0x552758 0x553111 0x449a5a 0x4d50de 0x484e97 0x48689e 0x4b00be 0x417769
0x417f1c 0x495115 0x451b20 0x552dc9 
/home/matthias/vcs/git/freedroid/src/items.c:72
/home/matthias/vcs/git/freedroid/src/items.c:60
/home/matthias/vcs/git/freedroid/src/lua.c:354
/home/matthias/vcs/git/freedroid/lua/ldo.c:317
/home/matthias/vcs/git/freedroid/lua/lvm.c:710 (discriminator 2)
/home/matthias/vcs/git/freedroid/lua/ldo.c:430
/home/matthias/vcs/git/freedroid/lua/ldo.c:131 (discriminator 1)
/home/matthias/vcs/git/freedroid/lua/ldo.c:530 (discriminator 3)
/home/matthias/vcs/git/freedroid/src/lua.c:1763
/home/matthias/vcs/git/freedroid/src/chat.c:829
/home/matthias/vcs/git/freedroid/src/influ.c:1556
/home/matthias/vcs/git/freedroid/src/influ.c:1647
/home/matthias/vcs/git/freedroid/src/main.c:106
/home/matthias/vcs/git/freedroid/src/main.c:182
??:?
/home/matthias/vcs/git/freedroid/src/text_public.c:58
/home/matthias/vcs/git/freedroid/src/luaconfig.c:1167
/home/matthias/vcs/git/freedroid/lua/ldo.c:317


@ 648fb9f1cc8eb3549c473b381fad0a63d40f3de6
Author: Xenux Date: 2013-10-18   09h36 
Ok I find the problem. It's FillInItemProperties who don't check if the type 
exists before get the item spec. Either we protect FillInItemProperties, or we add 
a preventive check before.
Author: salimiles Date: 2013-11-21   08h29 
Why not both?  (https://www.youtube.com/watch?v=vgk-lA12FBk )

Try this patch on for size: http://rb.freedroid.org/r/1963/
Author: matthiaskrgr Date: 2014-03-03   23h44 
Pushed as 23cb51d4af7dc8ceafe12c89c921df91d6d29a11 Thanks!
History
Date User Action Args
2014-03-03 23:44:28matthiaskrgrsetstatus: open -> resolved
assignedto: Xenux -> salimiles
messages: + msg2744
nosy: + salimiles
2013-11-21 08:29:40salimilessetmessages: + msg2635
2013-10-18 09:36:32Xenuxsetassignedto: Xenux
messages: + msg2616
nosy: + Xenux
2013-10-03 22:52:01matthiaskrgrcreate