Bug #824593
ASAN finding: SDL2 client goto_path_redraw
0%
Description
=================================================================
222746ERROR: AddressSanitizer: heap-use-after-free on address 0x60700018d4c0 at pc 0x555555d524cf bp 0x7fffffffd650 sp 0x7fffffffd648
READ of size 8 at 0x60700018d4c0 thread T0
#0 0x555555d524ce in genlist_prepend /home/vagrant/freeciv/utility/genlist.c:530
#1 0x5555557034b3 in callback_list_prepend ../../utility/speclist.h:272
#2 0x555555706e0a in add_idle_callback /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1098
#3 0x555555781089 in queue_add_callback /home/vagrant/freeciv/client/mapview_common.c:2959
#4 0x5555557811cc in queue_mapview_tile_update /home/vagrant/freeciv/client/mapview_common.c:3003
#5 0x5555557655ae in refresh_tile_mapcanvas /home/vagrant/freeciv/client/mapview_common.c:466
#6 0x55555578385d in mapdeco_remove_gotoline /home/vagrant/freeciv/client/mapview_common.c:3444
#7 0x555555737896 in goto_path_redraw /home/vagrant/freeciv/client/goto.c:214
#8 0x555555738ef3 in update_last_part /home/vagrant/freeciv/client/goto.c:371
#9 0x5555557392a1 in reset_last_part /home/vagrant/freeciv/client/goto.c:393
#10 0x55555573a085 in remove_last_part /home/vagrant/freeciv/client/goto.c:468
#11 0x5555557370ea in goto_map_free /home/vagrant/freeciv/client/goto.c:126
#12 0x55555573d28f in exit_goto_state /home/vagrant/freeciv/client/goto.c:1013
#13 0x55555571baa5 in set_hover_state /home/vagrant/freeciv/client/control.c:296
#14 0x55555571bb22 in clear_hover_state /home/vagrant/freeciv/client/control.c:314
#15 0x55555571b38f in control_free /home/vagrant/freeciv/client/control.c:169
#16 0x5555557077fe in client_game_free /home/vagrant/freeciv/client/client_main.c:280
#17 0x555555709c92 in client_exit /home/vagrant/freeciv/client/client_main.c:735
#18 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#19 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#20 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
#21 0x555555703329 in _start (/home/vagrant/freeciv/client/freeciv-sdl2+0x1af329)
0x60700018d4c0 is located 48 bytes inside of 72-byte region [0x60700018d490,0x60700018d4d8)
freed by thread T0 here:
#0 0x7ffff6efc8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x555555d508bd in genlist_destroy /home/vagrant/freeciv/utility/genlist.c:65
#2 0x55555570348d in callback_list_destroy ../../utility/speclist.h:192
#3 0x555555706ae2 in ui_exit /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:1011
#4 0x555555709c74 in client_exit /home/vagrant/freeciv/client/client_main.c:728
#5 0x5555557098af in client_main /home/vagrant/freeciv/client/client_main.c:689
#6 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#7 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
previously allocated by thread T0 here:
#0 0x7ffff6efcc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x555555d597d5 in fc_real_malloc /home/vagrant/freeciv/utility/mem.c:89
#2 0x555555d598c9 in fc_real_calloc /home/vagrant/freeciv/utility/mem.c:137
#3 0x555555d50837 in genlist_new_full /home/vagrant/freeciv/utility/genlist.c:41
#4 0x555555d50807 in genlist_new /home/vagrant/freeciv/utility/genlist.c:33
#5 0x555555703473 in callback_list_new ../../utility/speclist.h:170
#6 0x555555706976 in ui_main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:971
#7 0x5555557098aa in client_main /home/vagrant/freeciv/client/client_main.c:686
#8 0x555555705e16 in main /home/vagrant/freeciv/client/gui-sdl2/gui_main.c:868
#9 0x7ffff2f1952a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2352a)
SUMMARY: AddressSanitizer: heap-use-after-free /home/vagrant/freeciv/utility/genlist.c:530 in genlist_prepend
Shadow bytes around the buggy address:
0x0c0e80029a40: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029a50: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e80029a60: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029a70: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e80029a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e80029a90: fa fa fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa
0x0c0e80029aa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x0c0e80029ab0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e80029ac0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e80029ad0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e80029ae0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
222746ABORTING
History
#1
Updated by Marko Lindqvist about 1 year ago
- Tracker changed from Task to Bug
- Target version set to 2.6.1
#2
Updated by Marko Lindqvist about 1 year ago
- File 0051-sdl2-Do-not-try-to-add-callbacks-to-the-list-when-cl.patch 0051-sdl2-Do-not-try-to-add-callbacks-to-the-list-when-cl.patch added
- Status changed from New to Resolved
#3
Updated by Marko Lindqvist about 1 year ago
- File 0010-sdl-2-Do-not-try-to-add-callbacks-to-the-list-when-c.patch 0010-sdl-2-Do-not-try-to-add-callbacks-to-the-list-when-c.patch added
- File 0001-sdl-Do-not-try-to-add-callbacks-to-the-list-when-cli.patch 0001-sdl-Do-not-try-to-add-callbacks-to-the-list-when-cli.patch added
Fix also sdl-client in S2_6 and S2_5.
#4
Updated by Marko Lindqvist about 1 year ago
- Target version changed from 2.6.1 to 2.5.12
#5
Updated by Marko Lindqvist about 1 year ago
- Status changed from Resolved to Closed
- Assignee set to Marko Lindqvist