Issue879

Title buffer overflow when droid placed in obstacle (colrect)
Priority bug Status open
Assigned To Keywords
Linked issues Watchers

Submitted on 2017-02-21 22h38 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2017-02-21   22h38
When a bot is placed in a pile of obstacles with large collision rectangles, the 
game might crash with a heap-buffer-overflow.

Of course bots should not be placed inside colrects but perhaps the game could 
act a bit more cleverly about this?



Tux looks stuck...ESCAPING just for this frame...
No escape position found around Tux... Looking in position history...

Found robot that seems really stuck on position: 41.499306/34.778526/0.
More details on this robot:  Type=6.
Short Description=329 Sparkie.
Private Pathway[0]: 41.499306/34.778526.
Private Pathway[1]: 
-1.000000/-1.000000.=============================================================
====
==20509==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290002121e0 
at pc 0x00000056b93c bp 0x7ffe92b50bf0 sp 0x7ffe92b50be8
READ of size 4 at 0x6290002121e0 thread T0
    #0 0x56b93b in enemy_handle_stuck_in_walls 
/home/matthias/vcs/git/freedroid/src/enemy.c:1303:63
    #1 0x56f470 in state_machine_inconditional_updates 
/home/matthias/vcs/git/freedroid/src/enemy.c:1478:2
    #2 0x56f470 in update_enemy /home/matthias/vcs/git/freedroid/src/enemy.c:2007
    #3 0x58307b in move_enemies 
/home/matthias/vcs/git/freedroid/src/enemy.c:2137:3
    #4 0x6216dc in Game /home/matthias/vcs/git/freedroid/src/main.c:109:4
    #5 0x6eb576 in TestMap 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:252:2
    #6 0x70e31c in do_level_editor_main_menu 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_menu.c:1014:4
    #7 0x7073b3 in leveleditor_process_input 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_input.c:193:23
    #8 0x6eb664 in LevelEditor 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:279:3
    #9 0x621a02 in main /home/matthias/vcs/git/freedroid/src/main.c:183:4
    #10 0x7f9f5757c400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289
    #11 0x431519 in _start 
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x431519)

0x6290002121e0 is located 32 bytes to the left of 16384-byte region 
[0x629000212200,0x629000216200)
allocated by thread T0 here:
    #0 0x4db0de in realloc 
/home/matthias/LLVM/LLVM_dev/stage_2/llvm/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:79:3
    #1 0x55b3da in dynarray_resize 
/home/matthias/vcs/git/freedroid/src/dynarray.c:95:17
    #2 0x55b067 in dynarray_add 
/home/matthias/vcs/git/freedroid/src/dynarray.c:131:3
    #3 0x62efc2 in decode_waypoints 
/home/matthias/vcs/git/freedroid/src/map.c:939:3
    #4 0x62efc2 in decode_level /home/matthias/vcs/git/freedroid/src/map.c:1117
    #5 0x62afe7 in LoadShip /home/matthias/vcs/git/freedroid/src/map.c:1290:23
    #6 0x5cb932 in prepare_level_editor 
/home/matthias/vcs/git/freedroid/src/init.c:621:2
    #7 0x642e3f in Startup_handle 
/home/matthias/vcs/git/freedroid/src/menu.c:887:3
    #8 0x649049 in RunSubMenu /home/matthias/vcs/git/freedroid/src/menu.c:824:13
    #9 0x648127 in RunMenu /home/matthias/vcs/git/freedroid/src/menu.c:853:2
    #10 0x648127 in StartupMenu /home/matthias/vcs/git/freedroid/src/menu.c:859
    #11 0x6219d8 in main /home/matthias/vcs/git/freedroid/src/main.c:173:4
    #12 0x7f9f5757c400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/matthias/vcs/git/freedroid/src/enemy.c:1303:63 in 
enemy_handle_stuck_in_walls
Shadow bytes around the buggy address:
  0x0c528003a3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c528003a430: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c528003a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20509==ABORTING
History
Date User Action Args
2017-02-21 22:38:00matthiaskrgrcreate