Bug #824593: ASAN finding: SDL2 client goto_path_redraw - Freeciv - HostedRedmine by Planio

HostedRedmine.com has moved to the Planio platform. All logins and passwords remained the same. All users will be able to login and use Redmine just as before. Read more...

Send by e-mail

Bug #824593

ASAN finding: SDL2 client goto_path_redraw

Added by Zoltán Žarkov over 1 year ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Marko Lindqvist

Category:

gui-sdl2

Sprint/Milestone:

2.5.12

Start date:

Due date:

% Done:

Estimated time:

Description

=================================================================
222746ERROR: AddressSanitizer: heap-use-after-free on address 0x60700018d4c0 at pc 0x555555d524cf bp 0x7fffffffd650 sp 0x7fffffffd648
READ of size 8 at 0x60700018d4c0 thread T0
#0 0x555555d524ce in genlist_prepend /home/vagrant/freeciv/utility/genlist.c:530
#1 0x5555557034b3 in callback_list_prepend ../../utility/speclist.h:272
#2 0x555555706e0a in add_idle_callback /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1098
#3 0x555555781089 in queue_add_callback /home/vagrant/freeciv/client/mapview_common.c:2959
#4 0x5555557811cc in queue_mapview_tile_update /home/vagrant/freeciv/client/mapview_common.c:3003
#5 0x5555557655ae in refresh_tile_mapcanvas /home/vagrant/freeciv/client/mapview_common.c:466
#6 0x55555578385d in mapdeco_remove_gotoline /home/vagrant/freeciv/client/mapview_common.c:3444
#7 0x555555737896 in goto_path_redraw /home/vagrant/freeciv/client/goto.c:214
#8 0x555555738ef3 in update_last_part /home/vagrant/freeciv/client/goto.c:371
#9 0x5555557392a1 in reset_last_part /home/vagrant/freeciv/client/goto.c:393
#10 0x55555573a085 in remove_last_part /home/vagrant/freeciv/client/goto.c:468
#11 0x5555557370ea in goto_map_free /home/vagrant/freeciv/client/goto.c:126
#12 0x55555573d28f in exit_goto_state /home/vagrant/freeciv/client/goto.c:1013
#13 0x55555571baa5 in set_hover_state /home/vagrant/freeciv/client/control.c:296
#14 0x55555571bb22 in clear_hover_state /home/vagrant/freeciv/client/control.c:314
#15 0x55555571b38f in control_free /home/vagrant/freeciv/client/control.c:169
#16 0x5555557077fe in client_game_free /home/vagrant/freeciv/client/client_main.c:280
#17 0x555555709c92 in client_exit /home/vagrant/freeciv/client/client_main.c:735
#18 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#19 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#20 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
#21 0x555555703329 in _start (/home/vagrant/freeciv/client/freeciv-sdl2+0x1af329)

0x60700018d4c0 is located 48 bytes inside of 72-byte region [0x60700018d490,0x60700018d4d8)
freed by thread T0 here:
#0 0x7ffff6efc8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x555555d508bd in genlist_destroy /home/vagrant/freeciv/utility/genlist.c:65
#2 0x55555570348d in callback_list_destroy ../../utility/speclist.h:192
#3 0x555555706ae2 in ui_exit /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1011
#4 0x555555709c74 in client_exit /home/vagrant/freeciv/client/client_main.c:728
#5 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#6 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#7 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

previously allocated by thread T0 here:
#0 0x7ffff6efcc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x555555d597d5 in fc_real_malloc /home/vagrant/freeciv/utility/mem.c:89
#2 0x555555d598c9 in fc_real_calloc /home/vagrant/freeciv/utility/mem.c:137
#3 0x555555d50837 in genlist_new_full /home/vagrant/freeciv/utility/genlist.c:41
#4 0x555555d50807 in genlist_new /home/vagrant/freeciv/utility/genlist.c:33
#5 0x555555703473 in callback_list_new ../../utility/speclist.h:170
#6 0x555555706976 in ui_main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:971
#7 0x5555557098aa in client_main /home/vagrant/freeciv/client/client_main.c:686
#8 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#9 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

SUMMARY: AddressSanitizer: heap-use-after-free /home/vagrant/freeciv/utility/genlist.c:530 in genlist_prepend
Shadow bytes around the buggy address:
0x0c0e80029a40: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029a50: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e80029a60: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029a70: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e80029a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e80029a90: fa fa fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa
0x0c0e80029aa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0e80029ab0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029ac0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e80029ad0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029ae0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
222746ABORTING

0051-sdl2-Do-not-try-to-add-callbacks-to-the-list-when-cl.patch (1.67 KB) 0051-sdl2-Do-not-try-to-add-callbacks-to-the-list-when-cl.patch		Marko Lindqvist, 2019-07-02 11:16 PM
0010-sdl-2-Do-not-try-to-add-callbacks-to-the-list-when-c.patch (3.19 KB) 0010-sdl-2-Do-not-try-to-add-callbacks-to-the-list-when-c.patch	S2_6	Marko Lindqvist, 2019-07-02 11:49 PM
0001-sdl-Do-not-try-to-add-callbacks-to-the-list-when-cli.patch (1.99 KB) 0001-sdl-Do-not-try-to-add-callbacks-to-the-list-when-cli.patch	S2_5	Marko Lindqvist, 2019-07-02 11:49 PM