Issue796

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title editor: ASAN : heap-buffer-overflow ; plant obstacle, select, undo
Priority release-blocker Status resolved
Assigned To fluzz Keywords
Linked issues Watchers fluzz

Submitted on 2015-03-13 22h58 by matthiaskrgr, last changed by fluzz.

Messages
Author: matthiaskrgr Date: 2015-03-13   22h58 
If you build with ASAN, launch the editor, plant an obstacle, select it and then
click the undo button, the game crashes:

==10030==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000787d8
at pc 0x000000719f08 bp 0x7ffff951a940 sp 0x7ffff951a938
READ of size 8 at 0x6310000787d8 thread T0
ALSA lib pcm.c:7905:(snd_pcm_recover) underrun occurred
    #0 0x719f07 in __get_lvledit_ui_block_invoke_7
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_widgets.c:380:4
    #1 0x68c98a in group_update
/home/matthias/vcs/git/freedroid/src/widgets/widget_group.c:227:4
    #2 0x6a61e8 in LevelEditor
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:283:3
    #3 0x5fb979 in main /home/matthias/vcs/git/freedroid/src/main.c:188:4
    #4 0x7fee5ab267ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #5 0x4ce8f8 in _start
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4ce8f8)

0x6310000787d8 is located 40 bytes to the left of 73728-byte region
[0x631000078800,0x63100008a800)
allocated by thread T0 here:
    #0 0x4b13b0 in calloc
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4b13b0)
    #1 0x50d350 in dynarray_init
/home/matthias/vcs/git/freedroid/src/dynarray.c:37:16
    #2 0x567d82 in Init_Game_Data /home/matthias/vcs/git/freedroid/src/init.c:512:2
    #3 0x56b1bf in InitFreedroid /home/matthias/vcs/git/freedroid/src/init.c:1071:2
    #4 0x5fb83b in main /home/matthias/vcs/git/freedroid/src/main.c:152:2
    #5 0x7fee5ab267ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_widgets.c:380
__get_lvledit_ui_block_invoke_7
Shadow bytes around the buggy address:
  0x0c62800070a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c62800070b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c62800070c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c62800070d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c62800070e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c62800070f0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c6280007100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6280007110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6280007120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6280007130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6280007140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==10030==ABORTING



@ 51d1e8e9f77f114b1ae509c61e41d381ec4f9b2a
Author: fluzz Date: 2015-04-28   16h44 
Fix proposed: http://rb.freedroid.org/r/2188/
Author: fluzz Date: 2015-04-28   19h41 
Fixed with commits 5906c79..adb7290
History
Date User Action Args
2015-04-28 19:41:17fluzzsetstatus: open -> resolved
messages: + msg3137
2015-04-28 16:44:01fluzzsetassignedto: fluzz
messages: + msg3133
nosy: + fluzz
2015-03-13 22:58:21matthiaskrgrcreate