Issue877

Title buffer overflow when setting max distance to home to large value in editor
Priority bug Status open
Assigned To Keywords editor
Linked issues Watchers

Submitted on 2017-02-21 22h12 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2017-02-21   22h12
In the editor, when placing a droid, fill up the "Max distance from home" field 
with 9s. The value will be set to 1410065407 (for some reason).
Upon playtesting the game will crash:

=================================================================
==17954==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290002211e0 
at pc 0x000000573bdc bp 0x7ffc7e7adcb0 sp 0x7ffc7e7adca8
READ of size 4 at 0x6290002211e0 thread T0
    #0 0x573bdb in state_machine_situational_transitions 
/home/matthias/vcs/git/freedroid/src/enemy.c:1526:47
    #1 0x573bdb in update_enemy /home/matthias/vcs/git/freedroid/src/enemy.c:2010
    #2 0x58302b in move_enemies 
/home/matthias/vcs/git/freedroid/src/enemy.c:2137:3
    #3 0x62168c in Game /home/matthias/vcs/git/freedroid/src/main.c:109:4
    #4 0x6eb526 in TestMap 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:252:2
    #5 0x70e2cc in do_level_editor_main_menu 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_menu.c:1014:4
    #6 0x707363 in leveleditor_process_input 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_input.c:193:23
    #7 0x6eb614 in LevelEditor 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:279:3
    #8 0x6219b2 in main /home/matthias/vcs/git/freedroid/src/main.c:183:4
    #9 0x7f17d03e2400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289
    #10 0x431519 in _start 
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x431519)

0x6290002211e0 is located 32 bytes to the left of 16384-byte region 
[0x629000221200,0x629000225200)
allocated by thread T0 here:
    #0 0x4db0de in realloc 
/home/matthias/LLVM/LLVM_dev/stage_2/llvm/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:79:3
    #1 0x55b38a in dynarray_resize 
/home/matthias/vcs/git/freedroid/src/dynarray.c:95:17
    #2 0x55b017 in dynarray_add 
/home/matthias/vcs/git/freedroid/src/dynarray.c:131:3
    #3 0x62ef72 in decode_waypoints 
/home/matthias/vcs/git/freedroid/src/map.c:939:3
    #4 0x62ef72 in decode_level /home/matthias/vcs/git/freedroid/src/map.c:1117
    #5 0x62af97 in LoadShip /home/matthias/vcs/git/freedroid/src/map.c:1290:23
    #6 0x5cb8e2 in prepare_level_editor 
/home/matthias/vcs/git/freedroid/src/init.c:621:2
    #7 0x642def in Startup_handle 
/home/matthias/vcs/git/freedroid/src/menu.c:887:3
    #8 0x648ff9 in RunSubMenu /home/matthias/vcs/git/freedroid/src/menu.c:824:13
    #9 0x6480d7 in RunMenu /home/matthias/vcs/git/freedroid/src/menu.c:853:2
    #10 0x6480d7 in StartupMenu /home/matthias/vcs/git/freedroid/src/menu.c:859
    #11 0x621988 in main /home/matthias/vcs/git/freedroid/src/main.c:173:4
    #12 0x7f17d03e2400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/matthias/vcs/git/freedroid/src/enemy.c:1526:47 in 
state_machine_situational_transitions
Shadow bytes around the buggy address:
  0x0c528003c1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003c1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003c200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003c210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003c220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c528003c230: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c528003c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17954==ABORTING
History
Date User Action Args
2017-02-21 22:12:27matthiaskrgrcreate