View Issue Details

IDProjectCategoryView StatusLast Update
0000343Gameplay + OpenGL[All Projects] Bugpublic2017-02-26 18:59
ReporterEdward-san 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Summary0000343: ASAN stack-buffer-overflow reported with gl code
DescriptionASAN report:

=================================================================
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc929 at pc 0x7ffff6eda20b 
bp 0x7fffffffc610 sp 0x7fffffffbdb8
READ of size 13 at 0x7fffffffc929 thread T0
    #0 0x7ffff6eda20a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0xb72711 in MakeKey(char const*) /home/edward-san/zdoom/gzdoom/trunk/src/c_dispatch.cpp:414
    0000002 0x118fb86 
in FTextureManager::CheckForTexture(char const*, int, unsigned int) /home/edward-san/zdoom/gzdoom/trunk/src/textures/texturemanager.cpp:170
    
0000003 0x8e42b1 in AdjustSpriteOffsets() 
/home/edward-san/zdoom/gzdoom/trunk/src/gl/data/gl_data.cpp:112
    0000004 
0x8e75c2 in gl_InitData() /home/edward-san/zdoom/gzdoom/trunk/src/gl/data/gl_data.cpp:573
    0000005 
0xabb40b in FGLInterface::Init() /home/edward-san/zdoom/gzdoom/trunk/src/gl/scene/gl_scene.cpp:1321
    
0000006 0xfad698 
in R_Init() /home/edward-san/zdoom/gzdoom/trunk/src/r_utility.cpp:347
    0000007 
0xbae6e9 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2508
    0000008 0x634bdb 
in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:259
    0000009 0x7ffff479582f 
in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    0000010 
0x625db8 in _start (/home/edward-san/zdoom/gzdoom/trunk/debug-asan/gzdoom+0x625db8)

Address 0x7fffffffc929 is located in stack of thread T0 at offset 585 in frame
    #0 0x8e40ea in AdjustSpriteOffsets() /home/edward-san/zdoom/gzdoom/trunk/src/gl/data/gl_data.cpp:98

  
This frame has 6 object(s):
    [32, 36) 'texno'
    [96, 100) 'lastlump'
    [160, 164) 'sprid'
    [224, 248) 'donotprocess'
    [288, 544) 'sc'
    [576, 585) 'str' <== Memory access at offset 585 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x10007fff78d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff78e0: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
  0x10007fff78f0: 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 f2 f2
  0x10007fff7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7920: f2 f2 f2 f2 00[01]f4 f4 f3 f3 f3 f3 00 00 00 00
  0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==32127==ABORTING


gdb backtrace:

0000007  
0x0000000000b72712 in MakeKey (s=0x7fffffffc920 "MANFA8A2\300/C\001") at /home/edward-san/zdoom/gzdoom/trunk/src/c_dispatch.cpp:414

No locals.
0000008  0x000000000118fb87 
in FTextureManager::CheckForTexture (this=0x322be20 <TexMan>, name=0x7fffffffc920 "MANFA8A2\300/C\001", 
usetype=3, flags=0) at /home/edward-san/zdoom/gzdoom/trunk/src/textures/texturemanager.cpp:170
        i = -14688
        firstfound = -1
        firsttype = 13
0000009  0x00000000008e42b2 
in AdjustSpriteOffsets () at /home/edward-san/zdoom/gzdoom/trunk/src/gl/data/gl_data.cpp:112
        str = "MANFA8A2\300"
        texid = {texnum = 305}
        i = 1660
        lump = -14448
        lastlump = 0
        sprid = -13136
        donotprocess = {Nodes = 0x6020000f2af0, LastFree = 0x6020000f2b00, Size = 1, NumUsed = 0}
        numtex = 3618
0000010 
0x00000000008e75c3 in gl_InitData () at /home/edward-san/zdoom/gzdoom/trunk/src/gl/data/gl_data.cpp:573

No locals.
0000011 
0x0000000000abb40c in FGLInterface::Init (this=0x602000032610) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/scene/gl_scene.cpp:1321

No locals.
0000012 
0x0000000000fad699 in R_Init () at /home/edward-san/zdoom/gzdoom/trunk/src/r_utility.cpp:347
No locals.


Looks like 'str' in function 'AdjustSpriteOffsets' isn't terminated properly, or in any case 'strlen' shouldn't be called on that name. It's a regression from this commit.
TagsNo tags attached.

Relationships

Activities

Graf Zahl

Graf Zahl

2017-02-26 18:59

administrator   ~0000788

Ouch. Why do people write crap code like that and then use it in too many places? :(

Issue History

Date Modified Username Field Change
2017-02-26 17:41 Edward-san New Issue
2017-02-26 17:43 Edward-san Description Updated View Revisions
2017-02-26 18:59 Graf Zahl Note Added: 0000788
2017-02-26 18:59 Graf Zahl Status new => resolved
2017-02-26 18:59 Graf Zahl Resolution open => fixed