Project

General

Profile

Bug #824593

ASAN finding: SDL2 client goto_path_redraw

Added by Zoltán Žarkov about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
gui-sdl2
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

=================================================================
222746ERROR: AddressSanitizer: heap-use-after-free on address 0x60700018d4c0 at pc 0x555555d524cf bp 0x7fffffffd650 sp 0x7fffffffd648
READ of size 8 at 0x60700018d4c0 thread T0
#0 0x555555d524ce in genlist_prepend /home/vagrant/freeciv/utility/genlist.c:530
#1 0x5555557034b3 in callback_list_prepend ../../utility/speclist.h:272
#2 0x555555706e0a in add_idle_callback /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1098
#3 0x555555781089 in queue_add_callback /home/vagrant/freeciv/client/mapview_common.c:2959
#4 0x5555557811cc in queue_mapview_tile_update /home/vagrant/freeciv/client/mapview_common.c:3003
#5 0x5555557655ae in refresh_tile_mapcanvas /home/vagrant/freeciv/client/mapview_common.c:466
#6 0x55555578385d in mapdeco_remove_gotoline /home/vagrant/freeciv/client/mapview_common.c:3444
#7 0x555555737896 in goto_path_redraw /home/vagrant/freeciv/client/goto.c:214
#8 0x555555738ef3 in update_last_part /home/vagrant/freeciv/client/goto.c:371
#9 0x5555557392a1 in reset_last_part /home/vagrant/freeciv/client/goto.c:393
#10 0x55555573a085 in remove_last_part /home/vagrant/freeciv/client/goto.c:468
#11 0x5555557370ea in goto_map_free /home/vagrant/freeciv/client/goto.c:126
#12 0x55555573d28f in exit_goto_state /home/vagrant/freeciv/client/goto.c:1013
#13 0x55555571baa5 in set_hover_state /home/vagrant/freeciv/client/control.c:296
#14 0x55555571bb22 in clear_hover_state /home/vagrant/freeciv/client/control.c:314
#15 0x55555571b38f in control_free /home/vagrant/freeciv/client/control.c:169
#16 0x5555557077fe in client_game_free /home/vagrant/freeciv/client/client_main.c:280
#17 0x555555709c92 in client_exit /home/vagrant/freeciv/client/client_main.c:735
#18 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#19 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#20 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
#21 0x555555703329 in _start (/home/vagrant/freeciv/client/freeciv-sdl2+0x1af329)

0x60700018d4c0 is located 48 bytes inside of 72-byte region [0x60700018d490,0x60700018d4d8)
freed by thread T0 here:
#0 0x7ffff6efc8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x555555d508bd in genlist_destroy /home/vagrant/freeciv/utility/genlist.c:65
#2 0x55555570348d in callback_list_destroy ../../utility/speclist.h:192
#3 0x555555706ae2 in ui_exit /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1011
#4 0x555555709c74 in client_exit /home/vagrant/freeciv/client/client_main.c:728
#5 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#6 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#7 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

previously allocated by thread T0 here:
#0 0x7ffff6efcc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x555555d597d5 in fc_real_malloc /home/vagrant/freeciv/utility/mem.c:89
#2 0x555555d598c9 in fc_real_calloc /home/vagrant/freeciv/utility/mem.c:137
#3 0x555555d50837 in genlist_new_full /home/vagrant/freeciv/utility/genlist.c:41
#4 0x555555d50807 in genlist_new /home/vagrant/freeciv/utility/genlist.c:33
#5 0x555555703473 in callback_list_new ../../utility/speclist.h:170
#6 0x555555706976 in ui_main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:971
#7 0x5555557098aa in client_main /home/vagrant/freeciv/client/client_main.c:686
#8 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#9 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)

SUMMARY: AddressSanitizer: heap-use-after-free /home/vagrant/freeciv/utility/genlist.c:530 in genlist_prepend
Shadow bytes around the buggy address:
0x0c0e80029a40: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029a50: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e80029a60: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029a70: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e80029a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e80029a90: fa fa fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa
0x0c0e80029aa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0e80029ab0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029ac0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e80029ad0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029ae0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
222746ABORTING

History

#1 Updated by Marko Lindqvist about 1 year ago

  • Tracker changed from Task to Bug
  • Target version set to 2.6.1

#4 Updated by Marko Lindqvist about 1 year ago

  • Target version changed from 2.6.1 to 2.5.12

#5 Updated by Marko Lindqvist about 1 year ago

  • Status changed from Resolved to Closed
  • Assignee set to Marko Lindqvist

Also available in: Atom PDF