2025-07-21 23:06 CEST
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005039Spring engineGeneralpublic2016-01-18 02:342016-01-18 03:04
Reporterabma 
Assigned To 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version100.0+git 
Target Version101.0Fixed in Version 
Summary0005039: heap-buffer-overflow in rts/Rendering/Env/BasicTreeDrawer.cpp:404
Descriptionhttp://buildbot.springrts.com/builders/validationtests/builds/5104/steps/validation%20test/logs/stdio
Additional Information==12868==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x622000083e40 at pc 0x000000a3a043 bp 0x7ffd102c7980 sp 0x7ffd102c7970
READ of size 4 at 0x622000083e40 thread T0 (unknown)
    0 0xa3a042 in CBasicTreeDrawer::Draw(float, bool) ../../rts/Rendering/Env/BasicTreeDrawer.cpp:404
    1 0x9347a8 in CBaseGroundDrawer::DrawTrees(bool) const ../../rts/Map/BaseGroundDrawer.cpp:83
    2 0xc0ae3c in CWorldDrawer::DrawOpaqueObjects() const ../../rts/Rendering/WorldDrawer.cpp:265
    3 0xc0c063 in CWorldDrawer::Draw() const ../../rts/Rendering/WorldDrawer.cpp:229
    4 0x53927e in CGame::Draw() ../../rts/Game/Game.cpp:1221
    5 0xd0e035 in SpringApp::Update() ../../rts/System/SpringApp.cpp:964
    6 0xd185cf in SpringApp::Run() ../../rts/System/SpringApp.cpp:996
    7 0xcaabdb in Run(int, char**) ../../rts/System/Main.cpp:48
    8 0x7f645ad32a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    9 0x4d5708 in _start (/tmp/spring/tests/usr/local/bin/spring-headless+0x4d5708)

0x622000083e40 is located 64 bytes to the right of 5376-byte region [0x622000082900,0x622000083e00)
allocated by thread T0 (unknown) here:
    0 0x7f645d5c78b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    1 0x13b4302 in __gnu_cxx::new_allocator<CBufferedArchive::FileBuffer>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    2 0x13b4302 in std::allocator_traits<std::allocator<CBufferedArchive::FileBuffer> >::allocate(std::allocator<CBufferedArchive::FileBuffer>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:360
    3 0x13b4302 in std::_Vector_base<CBufferedArchive::FileBuffer, std::allocator<CBufferedArchive::FileBuffer> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    4 0x13b4302 in std::vector<CBufferedArchive::FileBuffer, std::allocator<CBufferedArchive::FileBuffer> >::_M_default_append(unsigned long) /usr/include/c++/5/bits/vector.tcc:557
    5 0x13b3222 in std::vector<CBufferedArchive::FileBuffer, std::allocator<CBufferedArchive::FileBuffer> >::resize(unsigned long) /usr/include/c++/5/bits/stl_vector.h:676
    6 0x13b3222 in CBufferedArchive::GetFile(unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) ../../rts/System/FileSystem/Archives/BufferedArchive.cpp:27
    7 0x13a7ffc in IArchive::GetFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<unsigned char, std::allocator<unsigned char> >&) ../../rts/System/FileSystem/Archives/IArchive.cpp:60
    8 0xdd2efb in CVFSHandler::LoadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<unsigned char, std::allocator<unsigned char> >&) ../../rts/System/FileSystem/VFSHandler.cpp:170
    9 0xd9ea3f in CFileHandler::TryReadFromModFS(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../rts/System/FileSystem/FileHandler.cpp:100
    10 0xd9fb42 in CFileHandler::Open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../rts/System/FileSystem/FileHandler.cpp:131
    11 0xda00e6 in CFileHandler::CFileHandler(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../rts/System/FileSystem/FileHandler.cpp:42
    12 0x69627d in CMouseCursor::LoadCursorImage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CMouseCursor::ImageData&) ../../rts/Game/UI/MouseCursor.cpp:209
    13 0x697281 in CMouseCursor::BuildFromFileNames(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) ../../rts/Game/UI/MouseCursor.cpp:194
    14 0x699ed0 in CMouseCursor::CMouseCursor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CMouseCursor::HotSpot) ../../rts/Game/UI/MouseCursor.cpp:60
    15 0x69a0ad in CMouseCursor::New(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CMouseCursor::HotSpot) ../../rts/Game/UI/MouseCursor.cpp:28
    16 0x6a3658 in CMouseHandler::AssignMouseCursor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CMouseCursor::HotSpot, bool) ../../rts/Game/UI/MouseHandler.cpp:880
    17 0x6a4a7f in CMouseHandler::LoadCursors() ../../rts/Game/UI/MouseHandler.cpp:188
    18 0x6a6587 in CMouseHandler::CMouseHandler() ../../rts/Game/UI/MouseHandler.cpp:111
    19 0x53ec05 in CGame::LoadInterface() ../../rts/Game/Game.cpp:571
    20 0x542ed7 in CGame::LoadGame(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../rts/Game/Game.cpp:392
    21 0x59be2e in CLoadScreen::Init() ../../rts/Game/LoadScreen.cpp:131
    22 0x59d060 in CLoadScreen::CreateInstance(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, ILoadSaveHandler*) ../../rts/Game/LoadScreen.cpp:197
    23 0x5b8483 in CPreGame::UpdateClientNet() ../../rts/Game/PreGame.cpp:340
    24 0x5b9eed in CPreGame::Update() ../../rts/Game/PreGame.cpp:172
    25 0xd0dec9 in SpringApp::Update() ../../rts/System/SpringApp.cpp:960
    26 0xd185cf in SpringApp::Run() ../../rts/System/SpringApp.cpp:996
    27 0xcaabdb in Run(int, char**) ../../rts/System/Main.cpp:48
    28 0x7f645ad32a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../rts/Rendering/Env/BasicTreeDrawer.cpp:404 CBasicTreeDrawer::Draw(float, bool)
Shadow bytes around the buggy address:
  0x0c4480008770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4480008780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4480008790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c44800087a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c44800087b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c44800087c0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c44800087d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800087e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800087f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480008800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480008810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==12868==ABORTING
TagsNo tags attached.
Checked infolog.txt for Errors
Attached Files

-Relationships
+Relationships

-Notes

~0015537

Anonymous (viewer)

2016-01-18 03:04

 Fix 59ff2331723778e31c08e6e5c863d0e362a7775d committed to develop branch: fix 0005039, repo: spring changeset id: 6314
+Notes

-Issue History
Date Modified Username Field Change
2016-01-18 02:34 abma New Issue
2016-01-18 03:04 Changeset attached => spring develop 59ff2331
2016-01-18 03:04 Anonymous Note Added: 0015537
2016-01-18 03:04 Anonymous Status new => resolved
2016-01-18 03:04 Anonymous Resolution open => fixed
+Issue History