Issue 763: ASAN: heap-use-after-free when item breaks down while fighting. - FreedroidRPG issues

Title	ASAN: heap-use-after-free when item breaks down while fighting.
Priority	critical	Status	resolved
Assigned To	fluzz	Keywords
Linked issues		Watchers	fluzz

Submitted on 2014-09-14 21h07 by matthiaskrgr, last changed by fluzz.

Messages
Author: matthiaskrgr	Date: 2014-09-14 21h07
I was attacking the invader bot with the for until fork broke down and the game crashed due to heap-use-after-free: ==28405==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x632000030688 at pc 0x47c114 bp 0x7fffa47d0c50 sp 0x7fffa47d0c40 READ of size 8 at 0x632000030688 thread T0 #0 0x47c113 in tux_wants_to_attack_now /home/matthias/vcs/git/freedroid/src/influ.c:161 #1 0x47c82b in tux_get_move_target_and_attack /home/matthias/vcs/git/freedroid/src/influ.c:412 #2 0x47d418 in move_tux /home/matthias/vcs/git/freedroid/src/influ.c:694 #3 0x4a4bce in Game /home/matthias/vcs/git/freedroid/src/main.c:106 #4 0x418824 in main /home/matthias/vcs/git/freedroid/src/main.c:185 #5 0x7fde1f5a2fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff) #6 0x41909b (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41909b) 0x632000030688 is located 376 bytes to the left of 82593-byte region [0x632000030800,0x632000044aa1) allocated by thread T0 here: #0 0x7fde20e81cd5 in calloc (/usr/lib/libasan.so.1+0x57cd5) #1 0x48b31b in MyMalloc /home/matthias/vcs/git/freedroid/src/text_public.c:68 #2 0x44c93b in lua_item_list_ctor /home/matthias/vcs/git/freedroid/src/luaconfig.c:1154 #3 0x53a599 in luaD_precall /home/matthias/vcs/git/freedroid/lua/ldo.c:317 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/matthias/vcs/git/freedroid/src/influ.c:161 tux_wants_to_attack_now Shadow bytes around the buggy address: 0x0c647fffe080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c647fffe0d0: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c647fffe100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c647fffe110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c647fffe120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==28405==ABORTING @ 8c0f64812158ed4f62c4aa804bb003bdb192a34d
Author: fluzz	Date: 2014-09-17 07h27
Fixed in commit 3ecf271354fffa81c4cf1c59d8dbf8513f036887

History
Date	User	Action	Args
2014-09-17 07:27:48	fluzz	set	status: open -> resolved assignedto: fluzz messages: + msg2899 nosy: + fluzz
2014-09-14 21:07:00	matthiaskrgr	create