Project

Profile

Help

HostedRedmine.com has moved to the Planio platform. All logins and passwords remained the same. All users will be able to login and use Redmine just as before. Read more...

Bug #824589

ASAN finding: SDL2 create_line

Added by Zoltán Žarkov about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
gui-sdl2
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Possibly related to a user-reported crash in SDL2 client.

=================================================================
204366ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500002a884 at pc 0x55669ba17bd3 bp 0x7fffdac7a1b0 sp 0x7fffdac7a1a8
READ of size 4 at 0x62500002a884 thread T0
#0 0x55669ba17bd2 in create_line /home/vagrant/freeciv/client/gui-sdl2/graphics.c:1871
#1 0x55669b988a7b in canvas_put_line /home/vagrant/freeciv/client/gui-sdl2/canvas.c:175
#2 0x55669b8cf08f in draw_segment /home/vagrant/freeciv/client/mapview_common.c:2475
#3 0x55669b8c550e in update_map_canvas /home/vagrant/freeciv/client/mapview_common.c:1767
#4 0x55669b8d446c in unqueue_mapview_updates /home/vagrant/freeciv/client/mapview_common.c:3107
#5 0x55669b8d305c in queue_callback /home/vagrant/freeciv/client/mapview_common.c:2948
#6 0x55669b857947 in gui_event_loop /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:749
#7 0x55669b8589da in ui_main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:986
#8 0x55669b85b8aa in client_main /home/vagrant/freeciv/client/client_main.c:686
#9 0x55669b857e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#10 0x7fce1e72452a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
#11 0x55669b855329 in _start (/home/vagrant/freeciv/client/freeciv-sdl2+0x1af329)

0x62500002a884 is located 124 bytes to the left of 8192-byte region [0x62500002a900,0x62500002c900)
allocated by thread T0 here:
#0 0x7fce22707c20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x7fce22367962 (/usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x66962)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/freeciv/client/gui-sdl2/graphics.c:1871 in create_line
Shadow bytes around the buggy address:
0x0c4a7fffd4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffd4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffd4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffd4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffd500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffd510:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffd520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffd530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffd540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffd550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffd560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
204366ABORTING

History

#1 Updated by Marko Lindqvist about 2 years ago

  • Tracker changed from Task to Bug

#2 Updated by Marko Lindqvist about 2 years ago

Zoltán Žarkov wrote:

user-reported

Ignatus at http://forum.freeciv.org/f/viewtopic.php?f=8&t=91172

#4 Updated by Zoltán Žarkov about 2 years ago

250

No memory violations, but goto path is drawn incorrectly.

#5 Updated by Marko Lindqvist about 2 years ago

Zoltán Žarkov wrote:

but goto path is drawn incorrectly.

That's not a regression (i.e, not blocking the patch). I get the same problem of not drawing S-N segments without the patch.

#6 Updated by Marko Lindqvist about 2 years ago

  • Status changed from New to Resolved
  • Sprint/Milestone set to 2.6.1

#9 Updated by Marko Lindqvist about 2 years ago

  • Status changed from Resolved to Closed
  • Assignee set to Marko Lindqvist

Also available in: Atom PDF