Issue879

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title buffer overflow when droid placed in obstacle (colrect)
Priority bug Status open
Assigned To Keywords
Linked issues Watchers

Submitted on 2017-02-21 22h38 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2017-02-21   22h38 
When a bot is placed in a pile of obstacles with large collision rectangles, the 
game might crash with a heap-buffer-overflow.

Of course bots should not be placed inside colrects but perhaps the game could 
act a bit more cleverly about this?



Tux looks stuck...ESCAPING just for this frame...
No escape position found around Tux... Looking in position history...

Found robot that seems really stuck on position: 41.499306/34.778526/0.
More details on this robot:  Type=6.
Short Description=329 Sparkie.
Private Pathway[0]: 41.499306/34.778526.
Private Pathway[1]: 
-1.000000/-1.000000.=============================================================
====
==20509==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290002121e0 
at pc 0x00000056b93c bp 0x7ffe92b50bf0 sp 0x7ffe92b50be8
READ of size 4 at 0x6290002121e0 thread T0
    #0 0x56b93b in enemy_handle_stuck_in_walls 
/home/matthias/vcs/git/freedroid/src/enemy.c:1303:63
    #1 0x56f470 in state_machine_inconditional_updates 
/home/matthias/vcs/git/freedroid/src/enemy.c:1478:2
    #2 0x56f470 in update_enemy /home/matthias/vcs/git/freedroid/src/enemy.c:2007
    #3 0x58307b in move_enemies 
/home/matthias/vcs/git/freedroid/src/enemy.c:2137:3
    #4 0x6216dc in Game /home/matthias/vcs/git/freedroid/src/main.c:109:4
    #5 0x6eb576 in TestMap 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:252:2
    #6 0x70e31c in do_level_editor_main_menu 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_menu.c:1014:4
    #7 0x7073b3 in leveleditor_process_input 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_input.c:193:23
    #8 0x6eb664 in LevelEditor 
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:279:3
    #9 0x621a02 in main /home/matthias/vcs/git/freedroid/src/main.c:183:4
    #10 0x7f9f5757c400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289
    #11 0x431519 in _start 
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x431519)

0x6290002121e0 is located 32 bytes to the left of 16384-byte region 
[0x629000212200,0x629000216200)
allocated by thread T0 here:
    #0 0x4db0de in realloc 
/home/matthias/LLVM/LLVM_dev/stage_2/llvm/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc:79:3
    #1 0x55b3da in dynarray_resize 
/home/matthias/vcs/git/freedroid/src/dynarray.c:95:17
    #2 0x55b067 in dynarray_add 
/home/matthias/vcs/git/freedroid/src/dynarray.c:131:3
    #3 0x62efc2 in decode_waypoints 
/home/matthias/vcs/git/freedroid/src/map.c:939:3
    #4 0x62efc2 in decode_level /home/matthias/vcs/git/freedroid/src/map.c:1117
    #5 0x62afe7 in LoadShip /home/matthias/vcs/git/freedroid/src/map.c:1290:23
    #6 0x5cb932 in prepare_level_editor 
/home/matthias/vcs/git/freedroid/src/init.c:621:2
    #7 0x642e3f in Startup_handle 
/home/matthias/vcs/git/freedroid/src/menu.c:887:3
    #8 0x649049 in RunSubMenu /home/matthias/vcs/git/freedroid/src/menu.c:824:13
    #9 0x648127 in RunMenu /home/matthias/vcs/git/freedroid/src/menu.c:853:2
    #10 0x648127 in StartupMenu /home/matthias/vcs/git/freedroid/src/menu.c:859
    #11 0x6219d8 in main /home/matthias/vcs/git/freedroid/src/main.c:173:4
    #12 0x7f9f5757c400 in __libc_start_main /usr/src/debug/glibc-2.24-33-
ge9e69e4/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/matthias/vcs/git/freedroid/src/enemy.c:1303:63 in 
enemy_handle_stuck_in_walls
Shadow bytes around the buggy address:
  0x0c528003a3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528003a420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c528003a430: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c528003a440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528003a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20509==ABORTING
History
Date User Action Args
2017-02-21 22:38:00matthiaskrgrcreate