2019-08-24 02:38 CEST

View Issue Details Jump to Notes ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0004985Spring engineGeneralpublic2015-11-01 14:37
Reporterabma 
Assigned Toabma 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version100.0 
Target Version101.0Fixed in Version 
Summary0004985: stack-buffer-overflow when dgunning
Description==9631==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7654f01c at pc 0x0000008c7de6 bp 0x7ffc7654efa0 sp 0x7ffc7654ef90
READ of size 4 at 0x7ffc7654f01c thread T0 (unknown)
    #0 0x8c7de5 in float4::operator=(float const*) rts/System/float4.h:31
    #1 0x8c7de5 in GL::Light::SetSpecularColor(float const*) rts/Rendering/GL/Light.h:68
    #2 0x8c7de5 in ParseLight rts/Lua/LuaUnsyncedCtrl.cpp:1124
    0000003 0x8c81da in LuaUnsyncedCtrl::AddMapLight(lua_State*) rts/Lua/LuaUnsyncedCtrl.cpp:1177
    0000004 0xf0ac75 in luaD_precall(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:320
    0000005 0xf2e702 in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:613
    #6 0xf0b4cc in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378
    #7 0xf08bc6 in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116
    #8 0xf0b9b3 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464
    #9 0xefe420 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833
    0000010 0x7b1a7b in ScopedLuaCall rts/Lua/LuaHandle.cpp:296
    #11 0x7b1a7b in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, int, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) rts/Lua/LuaHandle.cpp:367
    0000012 0x7b220c in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:377
    0000013 0x7df19a in CLuaHandle::RunCallIn(lua_State*, LuaHashString const&, int, int) rts/Lua/LuaHandle.h:335
    0000014 0x7df19a in CUnsyncedLuaHandle::RecvFromSynced(lua_State*, int) rts/Lua/LuaHandleSynced.cpp:175
    #15 0x7df371 in CSyncedLuaHandle::SendToUnsynced(lua_State*) rts/Lua/LuaHandleSynced.cpp:1246
    #16 0xf0ac75 in luaD_precall(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:320
    #17 0xf2e702 in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:613
    #18 0xf0b4cc in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378
    #19 0xf08bc6 in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116
    0000020 0xf0b9b3 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464
    #21 0xefe420 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833
    #22 0x7b1a7b in ScopedLuaCall rts/Lua/LuaHandle.cpp:296
    #23 0x7b1a7b in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, int, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) rts/Lua/LuaHandle.cpp:367
    0000024 0x7b220c in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:377
    #25 0x7b3771 in CLuaHandle::RunCallIn(lua_State*, LuaHashString const&, int, int) rts/Lua/LuaHandle.h:335
    0000026 0x7b3771 in CLuaHandle::ProjectileCreated(CProjectile const*) rts/Lua/LuaHandle.cpp:1403
    0000027 0x138dab2 in CEventHandler::ProjectileCreated(CProjectile const*, int) rts/System/EventHandler.h:575
    #28 0x138dab2 in CProjectileHandler::UpdateProjectileContainer(std::vector<CProjectile*, std::allocator<CProjectile*> >&, bool) rts/Sim/Projectiles/ProjectileHandler.cpp:200
    0000029 0x1390ef5 in CProjectileHandler::Update() rts/Sim/Projectiles/ProjectileHandler.cpp:276
    #30 0x53036b in CGame::SimFrame() rts/Game/Game.cpp:1561
    #31 0x77b7ee in CGame::ClientReadNet() rts/Net/NetCommands.cpp:506
    #32 0x542cb3 in CGame::Update() rts/Game/Game.cpp:1005
    #33 0xcf1a9e in SpringApp::Update() rts/System/SpringApp.cpp:949
    0000034 0xcfc4af in SpringApp::Run() rts/System/SpringApp.cpp:985
    0000035 0xc91f16 in Run(int, char**) rts/System/Main.cpp:48
    #36 0x49e70f in main rts/System/Main.cpp:107
    #37 0x7fad01a93a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #38 0x4df278 in _start (/mnt/tmp/home/dev/spring/develop/spring+0x4df278)

Address 0x7ffc7654f01c is located in stack of thread T0 (unknown) at offset 44 in frame
    #0 0x8c6cdf in ParseLight rts/Lua/LuaUnsyncedCtrl.cpp:1101

  This frame has 2 object(s):
    [32, 44) 'array' <== Memory access at offset 44 overflows this variable
    [96, 128) '<unknown>'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow rts/System/float4.h:31 float4::operator=(float const*)
Shadow bytes around the buggy address:
  0x10000eca1db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
=>0x10000eca1e00: f1 f1 00[04]f4 f4 f2 f2 f2 f2 00 00 00 00 f3 f3
  0x10000eca1e10: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x10000eca1e20: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000eca1e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==9631==ABORTING
Steps To Reproducecompile spring 100.0.1-275-g9046711 with -fsanitize=address

dgun
TagsNo tags attached.
Checked infolog.txt for lua Errors
Attached Files

-Relationships
+Relationships

-Notes

~0015309

abma (administrator)

Fix 88c741446392aa46c97729a1d89b21ab456d6fbf committed to develop branch: fix 0004985:

out of bounds access when copying float3 to float4, repo: spring changeset id: 5744
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2015-11-01 01:00 abma New Issue
2015-11-01 14:37 abma Changeset attached => spring develop 88c74144
2015-11-01 14:37 abma Note Added: 0015309
2015-11-01 14:37 abma Assigned To => abma
2015-11-01 14:37 abma Status new => resolved
2015-11-01 14:37 abma Resolution open => fixed
+Issue History