Issue759

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title ASAN heap-buffer-overflow when bot stuck in walls
Priority important Status rejected
Assigned To Keywords
Linked issues Watchers

Submitted on 2014-08-15 23h32 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2014-08-15   23h32 
when I we place a bot inside some obstacles (via editor) where it TOTALLY
cannnot walk, we get a heap-buffer-overflow if compiled via -fsanitize=address:

Found robot that seems really stuck on position: 40.183853/40.452507/8.
More details on this robot:  Type=9.
Short Description=493 Spinster.
Private Pathway[0]: 40.183853/40.452507.
Private Pathway[1]:
-1.000000/-1.000000.=================================================================
==20021==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500036b0e4
at pc 0x4deb36 bp 0x7fff23184090 sp 0x7fff23184080
READ of size 4 at 0x62500036b0e4 thread T0
    #0 0x4deb35 in enemy_handle_stuck_in_walls
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4deb35)
    #1 0x4e033c in state_machine_inconditional_updates
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4e033c)
    #2 0x4e627f in update_enemy
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4e627f)
    #3 0x4e7140 in move_enemies
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4e7140)
    #4 0x4f7a4d in Game (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4f7a4d)
    #5 0x568a98 in TestMap
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x568a98)
    #6 0x58cbd3 in DoLevelEditorMainMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x58cbd3)
    #7 0x57e485 in leveleditor_process_input
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x57e485)
    #8 0x568b6e in LevelEditor
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x568b6e)
    #9 0x4f7dbb in main (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4f7dbb)
    #10 0x7f6361e01fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)
    #11 0x4165fb (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4165fb)

0x62500036b0e4 is located 28 bytes to the left of 8128-byte region
[0x62500036b100,0x62500036d0c0)
allocated by thread T0 here:
    #0 0x7f63645dae56 in __interceptor_realloc (/usr/lib/libasan.so.1+0x57e56)
    #1 0x44d694 in dynarray_resize
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x44d694)
    #2 0x44daa4 in dynarray_add
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x44daa4)
    #3 0x47eaf5 in decode_waypoints
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x47eaf5)
    #4 0x4801fe in decode_level
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4801fe)
    #5 0x481050 in LoadShip
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x481050)
    #6 0x490976 in prepare_level_editor
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x490976)
    #7 0x41b3e3 in Startup_handle
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41b3e3)
    #8 0x41afce in RunSubMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41afce)
    #9 0x41b2c4 in RunMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41b2c4)
    #10 0x41b2d9 in StartupMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41b2d9)
    #11 0x4f7d53 in main
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4f7d53)
    #12 0x7f6361e01fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 enemy_handle_stuck_in_walls
Shadow bytes around the buggy address:
  0x0c4a800655c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800655d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800655e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800655f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80065600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80065610: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c4a80065620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80065630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80065640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80065650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80065660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==20021==ABORTING


freedroidRPG @ f616c11f2f359fe7cff3c0ce4761eab59faf1c56
Author: matthiaskrgr Date: 2014-08-15   23h35 
dublicate
History
Date User Action Args
2014-08-15 23:35:13matthiaskrgrsetstatus: open -> rejected
messages: + msg2872
2014-08-15 23:32:30matthiaskrgrcreate