2020-04-04 00:59 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005927Spring engineGeneralpublic2018-03-14 00:39
Reporterabma 
Assigned ToKloot 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version104.0 +git 
Target Version105.0Fixed in Version 
Summary0005927: validation test: stack-buffer-overflow in rts/Rendering/Fonts/TextWrap.cpp:461
Description=================================================================
==19254==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcebb50638 at pc 0x561c027edf91 bp 0x7ffcebb50410 sp 0x7ffcebb50408
READ of size 4 at 0x7ffcebb50638 thread T0 (spring-main)
    #0 0x561c027edf90 in CTextWrap::SplitTextInWords(std::u8string const&, std::__cxx11::list<CTextWrap::word, std::allocator<CTextWrap::word> >*, std::__cxx11::list<CTextWrap::colorcode, std::allocator<CTextWrap::colorcode> >*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Rendering/Fonts/TextWrap.cpp:461
    #1 0x561c027ef7c3 in CTextWrap::WrapInPlace(std::u8string&, float, float, float) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Rendering/Fonts/TextWrap.cpp:572
    #2 0x561c027efc14 in CTextWrap::Wrap(std::u8string const&, float, float, float) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Rendering/Fonts/TextWrap.cpp:609
    0000003 0x561c0225acb2 in CTextWrap::Wrap(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, float, float, float) (/tmp/spring/tests/usr/local/bin/spring-headless+0x877cb2)
    0000004 0x561c0225a0e8 in CInfoConsole::RecordLogMessage(int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/UI/InfoConsole.cpp:166
    0000005 0x561c0296bcc8 in LogSinkHandler::RecordLogMessage(int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Log/LogSinkHandler.cpp:54
    #6 0x561c0296b9bb in log_sink_record_logSinkHandler /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Log/LogSinkHandler.cpp:14
    #7 0x561c02961e11 in log_backend_record /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Log/Backend.cpp:80
    #8 0x561c029656de in log_filter_record /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Log/DefaultFilter.cpp:209
    #9 0x561c02965a44 in log_frontend_record /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Log/DefaultFilter.cpp:258
    0000010 0x561c02523ef4 in LogMsg /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaUtils.cpp:1215
    #11 0x561c02523fd2 in LuaUtils::Echo(lua_State*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaUtils.cpp:1224
    0000012 0x561c024ebf1d in LuaUnsyncedCtrl::Echo(lua_State*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaUnsyncedCtrl.cpp:404
    0000013 0x561c02dcd492 in luaD_precall(lua_State*, lua_TValue*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:320
    0000014 0x561c02dfe3ba in luaV_execute(lua_State*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lvm.cpp:613
    #15 0x561c02dcdbe8 in luaD_call(lua_State*, lua_TValue*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:378
    #16 0x561c02dbce97 in f_call /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lapi.cpp:812
    #17 0x561c02dcb12e in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:116
    #18 0x561c02dce88e in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:464
    #19 0x561c02dbd082 in lua_pcall(lua_State*, int, int, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lapi.cpp:833
    0000020 0x561c0252a1d0 in LuaVFS::Include(lua_State*, bool) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaVFS.cpp:181
    #21 0x561c0252a3a2 in LuaVFS::UnsyncInclude(lua_State*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaVFS.cpp:201
    #22 0x561c02dcd492 in luaD_precall(lua_State*, lua_TValue*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:320
    #23 0x561c02dfe3ba in luaV_execute(lua_State*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lvm.cpp:613
    0000024 0x561c02dcdbe8 in luaD_call(lua_State*, lua_TValue*, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:378
    #25 0x561c02dbce97 in f_call /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lapi.cpp:812
    0000026 0x561c02dcb12e in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:116
    0000027 0x561c02dce88e in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/ldo.cpp:464
    #28 0x561c02dbd082 in lua_pcall(lua_State*, int, int, int) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/lib/lua/src/lapi.cpp:833
    0000029 0x561c023c9b34 in ScopedLuaCall /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandle.cpp:304
    #30 0x561c023ca6e6 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, int, int, int, bool) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandle.cpp:390
    #31 0x561c023ca8cb in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandle.cpp:400
    #32 0x561c023cada2 in CLuaHandle::LoadCode(lua_State*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandle.cpp:444
    #33 0x561c023f0471 in CUnsyncedLuaHandle::Init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandleSynced.cpp:153
    0000034 0x561c02400005 in CLuaHandleSynced::Init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaHandleSynced.cpp:1491
    0000035 0x561c0245c7d2 in CLuaRules::CLuaRules() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaRules.cpp:56
    #36 0x561c0245c39c in CLuaRules::LoadHandler() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Lua/LuaRules.cpp:34
    #37 0x561c0214c0ea in CLuaRules::LoadFreeHandler() ../../rts/Lua/LuaRules.h:34
    #38 0x561c0213e02b in CGame::LoadLua() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/Game.cpp:708
    0000039 0x561c0213a634 in CGame::LoadGame(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/Game.cpp:412
    #40 0x561c021a928d in CLoadScreen::Init() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/LoadScreen.cpp:136
    #41 0x561c021a99c2 in CLoadScreen::CreateInstance(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, ILoadSaveHandler*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/LoadScreen.cpp:197
    0000042 0x561c021a992e in CLoadScreen::CreateDeleteInstance(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, ILoadSaveHandler*) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/LoadScreen.cpp:183
    0000043 0x561c021bb82b in CPreGame::UpdateClientNet() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/PreGame.cpp:379
    0000044 0x561c021b9c1e in CPreGame::Update() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Game/PreGame.cpp:184
    0000045 0x561c028779c1 in SpringApp::Update() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/SpringApp.cpp:774
    0000046 0x561c02877c4a in SpringApp::Run() /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/SpringApp.cpp:808
    0000047 0x561c0284926d in Run(int, char**) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Main.cpp:43
    0000048 0x561c02849317 in main /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/System/Main.cpp:92
    0000049 0x7f47482222e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    0000050 0x561c020e6599 in _start (/tmp/spring/tests/usr/local/bin/spring-headless+0x703599)

Address 0x7ffcebb50638 is located in stack of thread T0 (spring-main) at offset 120 in frame
    #0 0x561c027ef671 in CTextWrap::WrapInPlace(std::u8string&, float, float, float) /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Rendering/Fonts/TextWrap.cpp:557

  This frame has 2 object(s):
    [32, 56) 'words'
    [96, 120) 'colorcodes' <== Memory access at offset 120 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /var/lib/buildbot/slaves/validation/zydox-fedora/build/rts/Rendering/Fonts/TextWrap.cpp:461 in CTextWrap::SplitTextInWords(std::u8string const&, std::__cxx11::list<CTextWrap::word, std::allocator<CTextWrap::word> >*, std::__cxx11::list<CTextWrap::colorcode, std::allocator<CTextWrap::colorcode> >*)
Shadow bytes around the buggy address:
  0x10001d762070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001d762080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001d762090: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4
  0x10001d7620a0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x10001d7620b0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f4
=>0x10001d7620c0: f2 f2 f2 f2 00 00 00[f4]f3 f3 f3 f3 00 00 00 00
  0x10001d7620d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001d7620e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001d7620f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001d762100: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10001d762110: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==19254==ABORTING
Additional Informationhttps://buildbot.springrts.com/builders/validationtests/builds/5694/steps/validation%20test_1/logs/stdio
TagsNo tags attached.
Checked infolog.txt for Errors
Attached Files

-Relationships
+Relationships

-Notes

~0018891

Kloot (developer)

Fix 6e782ba76860c0041539f189fdb33f5f079f389e committed to develop branch: fix 0005927, repo: spring changeset id: 9811

~0018892

Kloot (developer)

Fix f737dbd263d8c607714bbd6d24d3bc26dbbba07f committed to maintenance branch: fix 0005927, repo: spring changeset id: 9812
+Notes

-Issue History
Date Modified Username Field Change
2018-03-14 00:29 abma New Issue
2018-03-14 00:38 Kloot Changeset attached => spring develop 6e782ba7
2018-03-14 00:38 Kloot Note Added: 0018891
2018-03-14 00:38 Kloot Assigned To => Kloot
2018-03-14 00:38 Kloot Status new => resolved
2018-03-14 00:38 Kloot Resolution open => fixed
2018-03-14 00:39 Kloot Changeset attached => spring maintenance f737dbd2
2018-03-14 00:39 Kloot Note Added: 0018892
+Issue History