| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0004985 | Spring engine | General | public | 2015-11-01 01:00 | 2015-11-01 14:37 | ||||
| Reporter | abma | ||||||||
| Assigned To | abma | ||||||||
| Priority | normal | Severity | crash | Reproducibility | have not tried | ||||
| Status | resolved | Resolution | fixed | ||||||
| Product Version | 100.0 | ||||||||
| Target Version | 101.0 | Fixed in Version | |||||||
| Summary | 0004985: stack-buffer-overflow when dgunning | ||||||||
| Description | ==9631==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7654f01c at pc 0x0000008c7de6 bp 0x7ffc7654efa0 sp 0x7ffc7654ef90 READ of size 4 at 0x7ffc7654f01c thread T0 (unknown) #0 0x8c7de5 in float4::operator=(float const*) rts/System/float4.h:31 #1 0x8c7de5 in GL::Light::SetSpecularColor(float const*) rts/Rendering/GL/Light.h:68 #2 0x8c7de5 in ParseLight rts/Lua/LuaUnsyncedCtrl.cpp:1124 0000003 0x8c81da in LuaUnsyncedCtrl::AddMapLight(lua_State*) rts/Lua/LuaUnsyncedCtrl.cpp:1177 0000004 0xf0ac75 in luaD_precall(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:320 0000005 0xf2e702 in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:613 #6 0xf0b4cc in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378 #7 0xf08bc6 in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116 #8 0xf0b9b3 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464 #9 0xefe420 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833 0000010 0x7b1a7b in ScopedLuaCall rts/Lua/LuaHandle.cpp:296 #11 0x7b1a7b in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, int, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) rts/Lua/LuaHandle.cpp:367 0000012 0x7b220c in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:377 0000013 0x7df19a in CLuaHandle::RunCallIn(lua_State*, LuaHashString const&, int, int) rts/Lua/LuaHandle.h:335 0000014 0x7df19a in CUnsyncedLuaHandle::RecvFromSynced(lua_State*, int) rts/Lua/LuaHandleSynced.cpp:175 #15 0x7df371 in CSyncedLuaHandle::SendToUnsynced(lua_State*) rts/Lua/LuaHandleSynced.cpp:1246 #16 0xf0ac75 in luaD_precall(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:320 #17 0xf2e702 in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:613 #18 0xf0b4cc in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378 #19 0xf08bc6 in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116 0000020 0xf0b9b3 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464 #21 0xefe420 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833 #22 0x7b1a7b in ScopedLuaCall rts/Lua/LuaHandle.cpp:296 #23 0x7b1a7b in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, int, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) rts/Lua/LuaHandle.cpp:367 0000024 0x7b220c in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:377 #25 0x7b3771 in CLuaHandle::RunCallIn(lua_State*, LuaHashString const&, int, int) rts/Lua/LuaHandle.h:335 0000026 0x7b3771 in CLuaHandle::ProjectileCreated(CProjectile const*) rts/Lua/LuaHandle.cpp:1403 0000027 0x138dab2 in CEventHandler::ProjectileCreated(CProjectile const*, int) rts/System/EventHandler.h:575 #28 0x138dab2 in CProjectileHandler::UpdateProjectileContainer(std::vector<CProjectile*, std::allocator<CProjectile*> >&, bool) rts/Sim/Projectiles/ProjectileHandler.cpp:200 0000029 0x1390ef5 in CProjectileHandler::Update() rts/Sim/Projectiles/ProjectileHandler.cpp:276 #30 0x53036b in CGame::SimFrame() rts/Game/Game.cpp:1561 #31 0x77b7ee in CGame::ClientReadNet() rts/Net/NetCommands.cpp:506 #32 0x542cb3 in CGame::Update() rts/Game/Game.cpp:1005 #33 0xcf1a9e in SpringApp::Update() rts/System/SpringApp.cpp:949 0000034 0xcfc4af in SpringApp::Run() rts/System/SpringApp.cpp:985 0000035 0xc91f16 in Run(int, char**) rts/System/Main.cpp:48 #36 0x49e70f in main rts/System/Main.cpp:107 #37 0x7fad01a93a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #38 0x4df278 in _start (/mnt/tmp/home/dev/spring/develop/spring+0x4df278) Address 0x7ffc7654f01c is located in stack of thread T0 (unknown) at offset 44 in frame #0 0x8c6cdf in ParseLight rts/Lua/LuaUnsyncedCtrl.cpp:1101 This frame has 2 object(s): [32, 44) 'array' <== Memory access at offset 44 overflows this variable [96, 128) '<unknown>' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow rts/System/float4.h:31 float4::operator=(float const*) Shadow bytes around the buggy address: 0x10000eca1db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 =>0x10000eca1e00: f1 f1 00[04]f4 f4 f2 f2 f2 f2 00 00 00 00 f3 f3 0x10000eca1e10: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x10000eca1e20: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000eca1e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==9631==ABORTING | ||||||||
| Steps To Reproduce | compile spring 100.0.1-275-g9046711 with -fsanitize=address dgun | ||||||||
| Tags | No tags attached. | ||||||||
| Checked infolog.txt for Errors | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
|
abma (administrator) 2015-11-01 14:37 |
Fix 88c741446392aa46c97729a1d89b21ab456d6fbf committed to develop branch: fix 0004985: out of bounds access when copying float3 to float4, repo: spring changeset id: 5744 |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-11-01 01:00 | abma | New Issue | |
| 2015-11-01 14:37 | abma | Changeset attached | => spring develop 88c74144 |
| 2015-11-01 14:37 | abma | Note Added: 0015309 | |
| 2015-11-01 14:37 | abma | Assigned To | => abma |
| 2015-11-01 14:37 | abma | Status | new => resolved |
| 2015-11-01 14:37 | abma | Resolution | open => fixed |
| Issue History |