HostedRedmine.com has moved to the Planio platform. All logins and passwords remained the same. All users will be able to login and use Redmine just as before. Read more...
Bug #769012
gtk3 client heap-buffer-overflow reported by asan
0%
Description
This occurs right when game start in client.
./client/freeciv-gtk3.22
You are running Freeciv without using iconv. Unless
you are using the UTF-8 character set, some characters
may not be displayed properly. You can download iconv
at http://gnu.org/.
3: Loading tileset "hexemplio".
=================================================================
89938ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000326035 at pc 0x7fcfe08e9203 bp 0x7ffe22c1c6b0 sp 0x7ffe22c1be60
READ of size 2 at 0x602000326035 thread T0
#0 0x7fcfe08e9202 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x71202)
#1 0x7fcfe095bd07 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe3d07)
#2 0x7fcfe08e938b (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7138b)
#3 0x7fcfe0915015 in vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9d015)
#4 0x55b015e229da in fc_vsnprintf (/home/zeko/freeciv/client/freeciv-gtk3.22+0x79d9da)
#5 0x55b015e22bbf in fc_snprintf (/home/zeko/freeciv/client/freeciv-gtk3.22+0x79dbbf)
#6 0x55b015876406 in menu_entry_init (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1f1406)
#7 0x55b015876b2d in setup_menus (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1f1b2d)
#8 0x55b01585d9c1 in enable_menus (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1d89c1)
#9 0x55b0158929af in real_set_client_page (/home/zeko/freeciv/client/freeciv-gtk3.22+0x20d9af)
#10 0x55b0159e4737 in set_client_page_callback (/home/zeko/freeciv/client/freeciv-gtk3.22+0x35f737)
#11 0x55b0159e40b7 in update_unqueue (/home/zeko/freeciv/client/freeciv-gtk3.22+0x35f0b7)
#12 0x55b0158620fc in idle_callback_wrapper (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1dd0fc)
#13 0x7fcfdb7f0e34 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4ae34)
#14 0x7fcfdb7f11ff (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b1ff)
#15 0x7fcfdb7f1511 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b511)
#16 0x7fcfdd3954c4 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x2304c4)
#17 0x55b01586142d in ui_main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1dc42d)
#18 0x55b0158bf252 in client_main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x23a252)
#19 0x55b0158603f9 in main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1db3f9)
#20 0x7fcfdb20a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#21 0x55b01585ac99 in _start (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1d5c99)
0x602000326035 is located 0 bytes to the right of 5-byte region [0x602000326030,0x602000326035)
allocated by thread T0 here:
#0 0x7fcfe0951c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x7fcfdb7f6588 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50588)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x71202)
Shadow bytes around the buggy address:
0x0c048005cbb0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 07
0x0c048005cbc0: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa 00 02
0x0c048005cbd0: fa fa 00 07 fa fa 00 02 fa fa fd fd fa fa 00 02
0x0c048005cbe0: fa fa fd fa fa fa fd fd fa fa 00 07 fa fa fd fd
0x0c048005cbf0: fa fa fd fd fa fa 00 07 fa fa 00 02 fa fa fd fd
=>0x0c048005cc00: fa fa 05 fa fa fa05fa fa fa 00 02 fa fa fd fa
0x0c048005cc10: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd
0x0c048005cc20: fa fa 06 fa fa fa 06 fa fa fa fd fd fa fa fd fa
0x0c048005cc30: fa fa 00 02 fa fa 00 04 fa fa fd fd fa fa fd fd
0x0c048005cc40: fa fa fd fa fa fa 00 07 fa fa 00 07 fa fa fd fd
0x0c048005cc50: fa fa 00 07 fa fa fd fd fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
89938ABORTING
History
#1
Updated by Zoltán Žarkov almost 4 years ago
I have not gone up the call stack to figure out what this is doing: fc_snprintf(buf, sizeof(buf), "<MENU>/%s", key + strlen("MENU_"));
But it is certainly wrong when key = "QUIT" and you try to reference key+5.
#2
Updated by Marko Lindqvist almost 4 years ago
Zoltán Žarkov wrote:
I have not gone up the call stack to figure out what this is doing:
fc_snprintf(buf, sizeof(buf), "<MENU>/%s", key + strlen("MENU_"));
But it is certainly wrong when key = "QUIT" and you try to reference key+5.
Yeah, it should be done only when key is prefixed with "MENU_" (i.e., for submenus)
#3
Updated by Zoltán Žarkov almost 3 years ago
- File 0001-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch 0001-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch added
It's not clear to me why it's necessary to even strip a MENU_ prefix, so I just removed the offset.
#4
Updated by Marko Lindqvist almost 3 years ago
- File 0029-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch 0029-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch added
- File 0015-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch 0015-Fix-heap-buffer-overflow-when-stripping-string-prefi.patch added
- Category set to gui-gtk-3.22
- Status changed from New to Resolved
- Sprint/Milestone set to 2.6.1
- S3_0 and S2_6 versions
#5
Updated by Marko Lindqvist almost 3 years ago
- Status changed from Resolved to Closed
- Assignee set to Marko Lindqvist
.