Issue822

Title heap use after free: enemy planted in wall
Priority minor Status open
Assigned To Keywords
Linked issues Watchers

Submitted on 2015-06-04 08h22 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2015-06-04   08h22
If one accidentally plants an enemy inside a collision rectangle, asan crashes
immediately after starting to play:





ound robot that seems really stuck on position: 52.378128/78.377876/8.
More details on this robot:  Type=0.
Short Description=123 Acolyte.
Private Pathway[0]: 52.378128/78.377876.
Private Pathway[1]:
-1.000000/-1.000000.=================================================================
==3899==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250003e80e4
at pc 0x0000004f8e69 bp 0x7ffd15dd36d0 sp 0x7ffd15dd36c0
READ of size 4 at 0x6250003e80e4 thread T0
    #0 0x4f8e68 in enemy_handle_stuck_in_walls
/home/matthias/vcs/git/freedroid/src/enemy.c:1296
    #1 0x4fa84b in state_machine_inconditional_updates
/home/matthias/vcs/git/freedroid/src/enemy.c:1471
    #2 0x500b84 in update_enemy /home/matthias/vcs/git/freedroid/src/enemy.c:2000
    #3 0x501a35 in move_enemies /home/matthias/vcs/git/freedroid/src/enemy.c:2130
    #4 0x51491a in Game /home/matthias/vcs/git/freedroid/src/main.c:109
    #5 0x5a2221 in TestMap lvledit/lvledit.c:252
    #6 0x5c7b51 in DoLevelEditorMainMenu lvledit/lvledit_menu.c:1013
    #7 0x5b77fe in leveleditor_process_input lvledit/lvledit_input.c:193
    #8 0x5a22f2 in LevelEditor lvledit/lvledit.c:282
    #9 0x514bb7 in main /home/matthias/vcs/git/freedroid/src/main.c:188
    #10 0x7f6979cf078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #11 0x418128 in _start
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x418128)

0x6250003e80e4 is located 28 bytes to the left of 8128-byte region
[0x6250003e8100,0x6250003ea0c0)
allocated by thread T0 here:
    #0 0x7f697c33fd5a in __interceptor_realloc
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_malloc_linux.cc:59
    #1 0x4531fb in dynarray_resize
/home/matthias/vcs/git/freedroid/src/dynarray.c:66
    #2 0x453609 in dynarray_add /home/matthias/vcs/git/freedroid/src/dynarray.c:96
    #3 0x48872f in decode_waypoints /home/matthias/vcs/git/freedroid/src/map.c:934
    #4 0x48a0df in decode_level /home/matthias/vcs/git/freedroid/src/map.c:1127
    #5 0x48bc0d in LoadShip /home/matthias/vcs/git/freedroid/src/map.c:1298
    #6 0x49d000 in prepare_level_editor
/home/matthias/vcs/git/freedroid/src/init.c:791
    #7 0x41d2af in Startup_handle /home/matthias/vcs/git/freedroid/src/menu.c:809
    #8 0x41ce1f in RunSubMenu /home/matthias/vcs/git/freedroid/src/menu.c:746
    #9 0x41d18a in RunMenu /home/matthias/vcs/git/freedroid/src/menu.c:775
    #10 0x41d19f in StartupMenu /home/matthias/vcs/git/freedroid/src/menu.c:781
    #11 0x514b4f in main /home/matthias/vcs/git/freedroid/src/main.c:178
    #12 0x7f6979cf078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/matthias/vcs/git/freedroid/src/enemy.c:1296 enemy_handle_stuck_in_walls
Shadow bytes around the buggy address:
  0x0c4a80074fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80074fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80074fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80074ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80075000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80075010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c4a80075020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80075030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80075040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80075050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80075060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==3899==ABORTING
Author: matthiaskrgr Date: 2015-06-04   08h31
Interestingly, the code that moves Tux out of walls works fine, apparently.
History
Date User Action Args
2015-06-04 08:31:10matthiaskrgrsetmessages: + msg3190
2015-06-04 08:22:22matthiaskrgrcreate