| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0005558 | Spring engine | General | public | 2017-05-14 23:12 | 2017-05-15 01:05 | ||||
| Reporter | abma | ||||||||
| Assigned To | Kloot | ||||||||
| Priority | normal | Severity | crash | Reproducibility | have not tried | ||||
| Status | resolved | Resolution | fixed | ||||||
| Product Version | 103.0 +git | ||||||||
| Target Version | 104.0 | Fixed in Version | 103.0 +git | ||||||
| Summary | 0005558: heap-buffer-overflow in rts/System/Object.cpp:62 | ||||||||
| Description | ================================================================= ==6990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606002bf45f8 at pc 0xe181b7 bp 0x7ffcbe7e6270 sp 0x7ffcbe7e6268 READ of size 8 at 0x606002bf45f8 thread T0 (spring-main) #0 0xe181b6 in CObject::~CObject() rts/System/Object.cpp:62 #1 0xc6dbb7 in CWorldObject::~CWorldObject() rts/Sim/Objects/WorldObject.h:34 #2 0x130f6c5 in CSolidObject::~CSolidObject() rts/Sim/Objects/SolidObject.h:100 0000003 0x15c22cc in CUnit::~CUnit() rts/Sim/Units/Unit.cpp:208 0000004 0x163544d in CBuilding::~CBuilding() rts/Sim/Units/UnitTypes/Building.h:17 0000005 0x131ea1c in void spring::SafeDestruct<AMoveType>(AMoveType*&) rts/System/SafeUtil.h:10 #6 0x161b9ec in void SimObjectMemPool<3808ul>::free<CUnit>(CUnit*&) rts/Sim/Misc/SimObjectMemPool.h:53 #7 0x1617ddc in CUnitHandler::DeleteUnitNow(CUnit*) rts/Sim/Units/UnitHandler.cpp:209 #8 0x16178e3 in CUnitHandler::DeleteUnitsNow() rts/Sim/Units/UnitHandler.cpp:179 #9 0x1618391 in CUnitHandler::Update() rts/Sim/Units/UnitHandler.cpp:242 0000010 0x6403dc in CGame::SimFrame() rts/Game/Game.cpp:1561 #11 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511 0000012 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049 0000013 0xe3b93d in SpringApp::Update() rts/System/SpringApp.cpp:861 0000014 0xe3bb4c in SpringApp::Run() rts/System/SpringApp.cpp:892 #15 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46 #16 0xe07304 in main rts/System/Main.cpp:95 #17 0x7fb86d899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #18 0x5e2406 (/mnt/tmp/home/dev/spring/develop/spring+0x5e2406) 0x606002bf45f8 is located 8 bytes to the left of 64-byte region [0x606002bf4600,0x606002bf4640) allocated by thread T0 (spring-main) here: #0 0x7fb8715749f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) #1 0x1078642 in spring_lua_alloc(void*, void*, unsigned long, unsigned long) rts/lib/lua/include/LuaUser.cpp:188 #2 0x104f44b in luaM_realloc_(lua_State*, void*, unsigned long, unsigned long) rts/lib/lua/src/lmem.cpp:81 0000003 0x106830d in luaH_new(lua_State*, int, int) rts/lib/lua/src/ltable.cpp:360 0000004 0x10727aa in luaV_execute(lua_State*, int) rts/lib/lua/src/lvm.cpp:486 0000005 0x104253a in luaD_call(lua_State*, lua_TValue*, int) rts/lib/lua/src/ldo.cpp:378 #6 0x1031199 in f_call rts/lib/lua/src/lapi.cpp:812 #7 0x103f9cd in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) rts/lib/lua/src/ldo.cpp:116 #8 0x1043286 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) rts/lib/lua/src/ldo.cpp:464 #9 0x1031381 in lua_pcall(lua_State*, int, int, int) rts/lib/lua/src/lapi.cpp:833 0000010 0x8bc926 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, std::string*, int, int, int, bool)::ScopedLuaCall::ScopedLuaCall(CLuaHandle*, lua_State*, char const*, int, int, int, bool) (/mnt/tmp/home/dev/spring/develop/spring+0x8bc926) #11 0x8bd3a0 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, std::string*, int, int, int, bool) rts/Lua/LuaHandle.cpp:384 0000012 0x8bd565 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) rts/Lua/LuaHandle.cpp:394 0000013 0x8bffe7 in CLuaHandle::GameFrame(int) rts/Lua/LuaHandle.cpp:638 0000014 0xdd963b in CEventHandler::GameFrame(int) rts/System/EventHandler.cpp:452 #15 0x640270 in CGame::SimFrame() rts/Game/Game.cpp:1556 #16 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511 #17 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049 #18 0xe3b93d in SpringApp::Update() rts/System/SpringApp.cpp:861 #19 0xe3bb4c in SpringApp::Run() rts/System/SpringApp.cpp:892 0000020 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46 #21 0xe07304 in main rts/System/Main.cpp:95 #22 0x7fb86d899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) SUMMARY: AddressSanitizer: heap-buffer-overflow rts/System/Object.cpp:62 CObject::~CObject() Shadow bytes around the buggy address: 0x0c0c80576860: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c80576870: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c80576880: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c80576890: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 0x0c0c805768a0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0c805768b0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa[fa] 0x0c0c805768c0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c805768d0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c805768e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c805768f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c80576900: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==6990==ABORTING | ||||||||
| Additional Information | Spring engine version: 103.0.1-897-g88d0f3e develop () | ||||||||
| Tags | No tags attached. | ||||||||
| Checked infolog.txt for Errors | |||||||||
| Attached Files |
| ||||||||
 Relationships |
 Notes |
|
|
abma (administrator) 2017-05-14 23:13 |
0005556 seems not fixed |
|
Kloot (developer) 2017-05-14 23:44 |
demo, or steps to reproduce it (no luck spamming /give all) |
|
Kloot (developer) 2017-05-15 01:05 |
d68378c4 |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-05-14 23:12 | abma | New Issue | |
| 2017-05-14 23:13 | abma | Relationship added | related to 0005556 |
| 2017-05-14 23:13 | abma | Note Added: 0017626 | |
| 2017-05-14 23:44 | Kloot | Note Added: 0017627 | |
| 2017-05-15 01:05 | Kloot | Assigned To | => Kloot |
| 2017-05-15 01:05 | Kloot | Status | new => resolved |
| 2017-05-15 01:05 | Kloot | Resolution | open => fixed |
| 2017-05-15 01:05 | Kloot | Fixed in Version | => 103.0 +git |
| 2017-05-15 01:05 | Kloot | Note Added: 0017630 | |
| Issue History |