2019-12-08 14:33 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005558Spring engineGeneralpublic2017-05-15 01:05
Reporterabma 
Assigned ToKloot 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version103.0 +git 
Target Version104.0Fixed in Version103.0 +git 
Summary0005558: heap-buffer-overflow in rts/System/Object.cpp:62
Description=================================================================
==6990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606002bf45f8 at pc 0xe181b7 bp 0x7ffcbe7e6270 sp 0x7ffcbe7e6268
READ of size 8 at 0x606002bf45f8 thread T0 (spring-main)
    #0 0xe181b6 in CObject::~CObject() rts/System/Object.cpp:62
    #1 0xc6dbb7 in CWorldObject::~CWorldObject() rts/Sim/Objects/WorldObject.h:34
    #2 0x130f6c5 in CSolidObject::~CSolidObject() rts/Sim/Objects/SolidObject.h:100
    0000003 0x15c22cc in CUnit::~CUnit() rts/Sim/Units/Unit.cpp:208
    0000004 0x163544d in CBuilding::~CBuilding() rts/Sim/Units/UnitTypes/Building.h:17
    0000005 0x131ea1c in void spring::SafeDestruct<AMoveType>(AMoveType*&) rts/System/SafeUtil.h:10
    #6 0x161b9ec in void SimObjectMemPool<3808ul>::free<CUnit>(CUnit*&) rts/Sim/Misc/SimObjectMemPool.h:53
    #7 0x1617ddc in CUnitHandler::DeleteUnitNow(CUnit*) rts/Sim/Units/UnitHandler.cpp:209
    #8 0x16178e3 in CUnitHandler::DeleteUnitsNow() rts/Sim/Units/UnitHandler.cpp:179
    #9 0x1618391 in CUnitHandler::Update() rts/Sim/Units/UnitHandler.cpp:242
    0000010 0x6403dc in CGame::SimFrame() rts/Game/Game.cpp:1561
    #11 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511
    0000012 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049
    0000013 0xe3b93d in SpringApp::Update() rts/System/SpringApp.cpp:861
    0000014 0xe3bb4c in SpringApp::Run() rts/System/SpringApp.cpp:892
    #15 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46
    #16 0xe07304 in main rts/System/Main.cpp:95
    #17 0x7fb86d899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #18 0x5e2406 (/mnt/tmp/home/dev/spring/develop/spring+0x5e2406)

0x606002bf45f8 is located 8 bytes to the left of 64-byte region [0x606002bf4600,0x606002bf4640)
allocated by thread T0 (spring-main) here:
    #0 0x7fb8715749f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x1078642 in spring_lua_alloc(void*, void*, unsigned long, unsigned long) rts/lib/lua/include/LuaUser.cpp:188
    #2 0x104f44b in luaM_realloc_(lua_State*, void*, unsigned long, unsigned long) rts/lib/lua/src/lmem.cpp:81
    0000003 0x106830d in luaH_new(lua_State*, int, int) rts/lib/lua/src/ltable.cpp:360
    0000004 0x10727aa in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:486
    0000005 0x104253a in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378
    #6 0x1031199 in f_call rts/lib/lua/src/lapi.cpp:812
    #7 0x103f9cd in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116
    #8 0x1043286 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464
    #9 0x1031381 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833
    0000010 0x8bc926 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, std::string*, int, int, int, bool)::ScopedLuaCall::ScopedLuaCall(CLuaHandle*, lua_State*, char const*, int, int, int, bool) (/mnt/tmp/home/dev/spring/develop/spring+0x8bc926)
    #11 0x8bd3a0 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, std::string*, int, int, int, bool) rts/Lua/LuaHandle.cpp:384
    0000012 0x8bd565 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:394
    0000013 0x8bffe7 in CLuaHandle::GameFrame(int) rts/Lua/LuaHandle.cpp:638
    0000014 0xdd963b in CEventHandler::GameFrame(int) rts/System/EventHandler.cpp:452
    #15 0x640270 in CGame::SimFrame() rts/Game/Game.cpp:1556
    #16 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511
    #17 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049
    #18 0xe3b93d in SpringApp::Update() rts/System/SpringApp.cpp:861
    #19 0xe3bb4c in SpringApp::Run() rts/System/SpringApp.cpp:892
    0000020 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46
    #21 0xe07304 in main rts/System/Main.cpp:95
    #22 0x7fb86d899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow rts/System/Object.cpp:62 CObject::~CObject()
Shadow bytes around the buggy address:
  0x0c0c80576860: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c80576870: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80576880: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80576890: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c805768a0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c805768b0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa[fa]
  0x0c0c805768c0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c805768d0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c805768e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c805768f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c80576900: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==6990==ABORTING
Additional InformationSpring engine version: 103.0.1-897-g88d0f3e develop ()
TagsNo tags attached.
Checked infolog.txt for Errors
Attached Files

-Relationships
related to 0005556resolvedKloot heap overflow in testgame 
+Relationships

-Notes

~0017626

abma (administrator)

0005556 seems not fixed

~0017627

Kloot (developer)

demo, or steps to reproduce it (no luck spamming /give all)

~0017630

Kloot (developer)

d68378c4
+Notes

-Issue History
Date Modified Username Field Change
2017-05-14 23:12 abma New Issue
2017-05-14 23:13 abma Relationship added related to 0005556
2017-05-14 23:13 abma Note Added: 0017626
2017-05-14 23:44 Kloot Note Added: 0017627
2017-05-15 01:05 Kloot Assigned To => Kloot
2017-05-15 01:05 Kloot Status new => resolved
2017-05-15 01:05 Kloot Resolution open => fixed
2017-05-15 01:05 Kloot Fixed in Version => 103.0 +git
2017-05-15 01:05 Kloot Note Added: 0017630
+Issue History