Project

Profile

Help

HostedRedmine.com has moved to the Planio platform. All logins and passwords remained the same. All users will be able to login and use Redmine just as before. Read more...

Bug #769012

gtk3 client heap-buffer-overflow reported by asan

Added by Zoltán Žarkov over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
gui-gtk-3.22
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

This occurs right when game start in client.

./client/freeciv-gtk3.22
You are running Freeciv without using iconv. Unless
you are using the UTF-8 character set, some characters
may not be displayed properly. You can download iconv
at http://gnu.org/.
3: Loading tileset "hexemplio". =================================================================
89938ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000326035 at pc 0x7fcfe08e9203 bp 0x7ffe22c1c6b0 sp 0x7ffe22c1be60
READ of size 2 at 0x602000326035 thread T0
#0 0x7fcfe08e9202 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x71202)
#1 0x7fcfe095bd07 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe3d07)
#2 0x7fcfe08e938b (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7138b)
#3 0x7fcfe0915015 in vsnprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9d015)
#4 0x55b015e229da in fc_vsnprintf (/home/zeko/freeciv/client/freeciv-gtk3.22+0x79d9da)
#5 0x55b015e22bbf in fc_snprintf (/home/zeko/freeciv/client/freeciv-gtk3.22+0x79dbbf)
#6 0x55b015876406 in menu_entry_init (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1f1406)
#7 0x55b015876b2d in setup_menus (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1f1b2d)
#8 0x55b01585d9c1 in enable_menus (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1d89c1)
#9 0x55b0158929af in real_set_client_page (/home/zeko/freeciv/client/freeciv-gtk3.22+0x20d9af)
#10 0x55b0159e4737 in set_client_page_callback (/home/zeko/freeciv/client/freeciv-gtk3.22+0x35f737)
#11 0x55b0159e40b7 in update_unqueue (/home/zeko/freeciv/client/freeciv-gtk3.22+0x35f0b7)
#12 0x55b0158620fc in idle_callback_wrapper (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1dd0fc)
#13 0x7fcfdb7f0e34 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4ae34)
#14 0x7fcfdb7f11ff (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b1ff)
#15 0x7fcfdb7f1511 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b511)
#16 0x7fcfdd3954c4 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x2304c4)
#17 0x55b01586142d in ui_main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1dc42d)
#18 0x55b0158bf252 in client_main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x23a252)
#19 0x55b0158603f9 in main (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1db3f9)
#20 0x7fcfdb20a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#21 0x55b01585ac99 in _start (/home/zeko/freeciv/client/freeciv-gtk3.22+0x1d5c99)

0x602000326035 is located 0 bytes to the right of 5-byte region [0x602000326030,0x602000326035)
allocated by thread T0 here:
#0 0x7fcfe0951c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x7fcfdb7f6588 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50588)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x71202)
Shadow bytes around the buggy address:
0x0c048005cbb0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 07
0x0c048005cbc0: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa 00 02
0x0c048005cbd0: fa fa 00 07 fa fa 00 02 fa fa fd fd fa fa 00 02
0x0c048005cbe0: fa fa fd fa fa fa fd fd fa fa 00 07 fa fa fd fd
0x0c048005cbf0: fa fa fd fd fa fa 00 07 fa fa 00 02 fa fa fd fd
=>0x0c048005cc00: fa fa 05 fa fa fa05fa fa fa 00 02 fa fa fd fa
0x0c048005cc10: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd
0x0c048005cc20: fa fa 06 fa fa fa 06 fa fa fa fd fd fa fa fd fa
0x0c048005cc30: fa fa 00 02 fa fa 00 04 fa fa fd fd fa fa fd fd
0x0c048005cc40: fa fa fd fa fa fa 00 07 fa fa 00 07 fa fa fd fd
0x0c048005cc50: fa fa 00 07 fa fa fd fd fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
89938ABORTING

History

#1 Updated by Zoltán Žarkov over 2 years ago

I have not gone up the call stack to figure out what this is doing:
fc_snprintf(buf, sizeof(buf), "<MENU>/%s", key + strlen("MENU_"));

But it is certainly wrong when key = "QUIT" and you try to reference key+5.

#2 Updated by Marko Lindqvist over 2 years ago

Zoltán Žarkov wrote:

I have not gone up the call stack to figure out what this is doing:
fc_snprintf(buf, sizeof(buf), "<MENU>/%s", key + strlen("MENU_"));

But it is certainly wrong when key = "QUIT" and you try to reference key+5.

Yeah, it should be done only when key is prefixed with "MENU_" (i.e., for submenus)

#3 Updated by Zoltán Žarkov over 1 year ago

It's not clear to me why it's necessary to even strip a MENU_ prefix, so I just removed the offset.

#5 Updated by Marko Lindqvist over 1 year ago

  • Status changed from Resolved to Closed
  • Assignee set to Marko Lindqvist

Also available in: Atom PDF