use-after-free in `CPHContactBodyEffector::Apply()`

ASAN report:
```
AddressSanitizer: heap-use-after-free on address 0x7d2fcb259148 at pc 0x7fffe0dd86ac bp 0x7ffffffe64e0 sp 0x7ffffffe64d0
READ of size 4 at 0x7d2fcb259148 thread T0
    #0 0x7fffe0dd86ab in dDOT(float const*, float const*) /mnt/data/dev/xray-16/Externals/ode/include/ode/odemath.h:52
    #1 0x7fffcbddbd8f in CPHContactBodyEffector::Apply() /mnt/data/dev/xray-16/src/xrPhysics/PHContactBodyEffector.cpp:26
    #2 0x7fffcbe1f2f1 in CPHElement::PhTune(float) /mnt/data/dev/xray-16/src/xrPhysics/PHElement.cpp:376
    #3 0x7fffcbf35496 in CPHShell::PhTune(float) /mnt/data/dev/xray-16/src/xrPhysics/PHShell.cpp:208
    #4 0x7fffcbf7ddff in CPHWorld::Step() /mnt/data/dev/xray-16/src/xrPhysics/PHWorld.cpp:319
    #5 0x7fffe0c05dab in CCharacterPhysicsSupport::FlyTo(_vector3<float> const&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1314
    #6 0x7fffe0c06a29 in CCharacterPhysicsSupport::EndActivateFreeShell(IGameObject*, _vector3<float> const&, _vector3<float> const&, _vector3<float> const&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1141
    #7 0x7fffe0c1904c in CCharacterPhysicsSupport::KillHit(SHit&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:463
    #8 0x7fffe0c1a512 in CCharacterPhysicsSupport::in_Hit(SHit&, bool) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:492
    #9 0x7fffe0c1aac9 in CCharacterPhysicsSupport::in_Die() /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1363
    #10 0x7fffe100717f in CEntityAlive::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/entity_alive.cpp:329
    #11 0x7fffe0d5644f in CCustomMonster::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:696
    #12 0x7fffe3a071dc in CAI_Stalker::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker.cpp:472
    #13 0x7fffe102861b in CEntity::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/Entity.cpp:60
    #14 0x7fffe0d521f8 in CCustomMonster::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:803
    #15 0x7fffe3a5171f in CAI_Stalker::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker_events.cpp:26
    #16 0x7fffe1910c41 in CLevel::cl_Process_Event(unsigned short, unsigned short, NET_Packet&) /mnt/data/dev/xray-16/src/xrGame/Level.cpp:276
    #17 0x7fffe19151a5 in CLevel::ProcessGameEvents() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:333
    #18 0x7fffe191adf8 in CLevel::OnFrame() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:447
    #19 0x7fffd16df9ac in pureFrame::OnPure(pureFrame*) /mnt/data/dev/xray-16/src/xrEngine/pure.h:18
    #20 0x7fffd16df9ac in MessageRegistry<pureFrame>::Process() /mnt/data/dev/xray-16/src/xrEngine/pure.h:101
    #21 0x7fffd16cecd7 in CRenderDevice::FrameMove() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:484
    #22 0x7fffd16cf36b in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:270
    #23 0x7fffd168472e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
    #24 0x55555555b4d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
    #25 0x55555555b8ed in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:105
    #26 0x7fffcf027b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #27 0x7fffcf027c4a in __libc_start_main (/usr/lib/libc.so.6+0x27c4a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #28 0x55555555b304 in _start (/mnt/data/dev/xray-16/bin/x86_64/Debug/xr_3da+0x7304) (BuildId: 6816e84c29f929702188eec8451178f5e8e27c05)

0x7d2fcb259148 is located 264 bytes inside of 344-byte region [0x7d2fcb259040,0x7d2fcb259198)
freed by thread T0 here:
    #0 0x7ffff795103d in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
    #1 0x7fffd048acc3 in xrMemory::mem_free(void*) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:260
    #2 0x7ffff52264f6 in void xr_free<void>(void*&) /mnt/data/dev/xray-16/src/xrCore/xrMemory.h:105
    #3 0x7fffcbd6cf85 in ode_free /mnt/data/dev/xray-16/src/xrPhysics/xrPhysics.cpp:14
    #4 0x7fffcb1acbc7 in dFree /mnt/data/dev/xray-16/Externals/ode/ode/src/memory.cpp:86
    #5 0x7fffcb1afa5a in dBase::operator delete(void*, unsigned long) /mnt/data/dev/xray-16/Externals/ode/ode/src/objects.h:51
    #6 0x7fffcb1afa5a in dBodyDestroy /mnt/data/dev/xray-16/Externals/ode/ode/src/ode.cpp:310
    #7 0x7fffcbd74146 in CPHActivationShape::Destroy() /mnt/data/dev/xray-16/src/xrPhysics/PHActivationShape.cpp:217
    #8 0x7fffcbd6ff5c in ActivateShapeCharacterPhysicsSupport(_vector3<float>&, _vector3<float> const&, _vector3<float> const&, Fmatrix const&, bool, bool, IPhysicsShellHolder*) /mnt/data/dev/xray-16/src/xrPhysics/IActivationShape.cpp:65
    #9 0x7fffe0c03e16 in CCharacterPhysicsSupport::CollisionCorrectObjPos(_vector3<float> const&, bool) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:706
    #10 0x7fffe0c06627 in CCharacterPhysicsSupport::EndActivateFreeShell(IGameObject*, _vector3<float> const&, _vector3<float> const&, _vector3<float> const&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1129
    #11 0x7fffe0c1904c in CCharacterPhysicsSupport::KillHit(SHit&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:463
    #12 0x7fffe0c1a512 in CCharacterPhysicsSupport::in_Hit(SHit&, bool) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:492
    #13 0x7fffe0c1aac9 in CCharacterPhysicsSupport::in_Die() /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1363
    #14 0x7fffe100717f in CEntityAlive::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/entity_alive.cpp:329
    #15 0x7fffe0d5644f in CCustomMonster::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:696
    #16 0x7fffe3a071dc in CAI_Stalker::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker.cpp:472
    #17 0x7fffe102861b in CEntity::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/Entity.cpp:60
    #18 0x7fffe0d521f8 in CCustomMonster::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:803
    #19 0x7fffe3a5171f in CAI_Stalker::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker_events.cpp:26
    #20 0x7fffe1910c41 in CLevel::cl_Process_Event(unsigned short, unsigned short, NET_Packet&) /mnt/data/dev/xray-16/src/xrGame/Level.cpp:276
    #21 0x7fffe19151a5 in CLevel::ProcessGameEvents() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:333
    #22 0x7fffe191adf8 in CLevel::OnFrame() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:447
    #23 0x7fffd16df9ac in pureFrame::OnPure(pureFrame*) /mnt/data/dev/xray-16/src/xrEngine/pure.h:18
    #24 0x7fffd16df9ac in MessageRegistry<pureFrame>::Process() /mnt/data/dev/xray-16/src/xrEngine/pure.h:101
    #25 0x7fffd16cecd7 in CRenderDevice::FrameMove() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:484
    #26 0x7fffd16cf36b in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:270
    #27 0x7fffd168472e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
    #28 0x55555555b4d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
    #29 0x55555555b8ed in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:105
    #30 0x7fffcf027b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #31 0x7fffffffd4a3  ([stack]+0x784a3)

previously allocated by thread T0 here:
    #0 0x7ffff7952345 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x7fffd048ac4b in xrMemory::mem_alloc(unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:202
    #2 0x7fffd048ae48 in xr_malloc(unsigned long) /mnt/data/dev/xray-16/src/xrCore/xrMemory.cpp:365
    #3 0x7fffcbd6ce4d in ode_alloc /mnt/data/dev/xray-16/src/xrPhysics/xrPhysics.cpp:12
    #4 0x7fffcb1acb89 in dAlloc /mnt/data/dev/xray-16/Externals/ode/ode/src/memory.cpp:72
    #5 0x7fffcb1b2c2b in dBase::operator new(unsigned long) /mnt/data/dev/xray-16/Externals/ode/ode/src/objects.h:50
    #6 0x7fffcb1b2c2b in dBodyCreate /mnt/data/dev/xray-16/Externals/ode/ode/src/ode.cpp:254
    #7 0x7fffcbd73635 in CPHActivationShape::Create(_vector3<float>, _vector3<float>, IPhysicsShellHolder*, CPHActivationShape::EType, unsigned short) /mnt/data/dev/xray-16/src/xrPhysics/PHActivationShape.cpp:186
    #8 0x7fffcbd6fcd1 in ActivateShapeCharacterPhysicsSupport(_vector3<float>&, _vector3<float> const&, _vector3<float> const&, Fmatrix const&, bool, bool, IPhysicsShellHolder*) /mnt/data/dev/xray-16/src/xrPhysics/IActivationShape.cpp:56
    #9 0x7fffe0c03e16 in CCharacterPhysicsSupport::CollisionCorrectObjPos(_vector3<float> const&, bool) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:706
    #10 0x7fffe0c06627 in CCharacterPhysicsSupport::EndActivateFreeShell(IGameObject*, _vector3<float> const&, _vector3<float> const&, _vector3<float> const&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1129
    #11 0x7fffe0c1904c in CCharacterPhysicsSupport::KillHit(SHit&) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:463
    #12 0x7fffe0c1a512 in CCharacterPhysicsSupport::in_Hit(SHit&, bool) /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:492
    #13 0x7fffe0c1aac9 in CCharacterPhysicsSupport::in_Die() /mnt/data/dev/xray-16/src/xrGame/CharacterPhysicsSupport.cpp:1363
    #14 0x7fffe100717f in CEntityAlive::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/entity_alive.cpp:329
    #15 0x7fffe0d5644f in CCustomMonster::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:696
    #16 0x7fffe3a071dc in CAI_Stalker::Die(IGameObject*) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker.cpp:472
    #17 0x7fffe102861b in CEntity::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/Entity.cpp:60
    #18 0x7fffe0d521f8 in CCustomMonster::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/CustomMonster.cpp:803
    #19 0x7fffe3a5171f in CAI_Stalker::OnEvent(NET_Packet&, unsigned short) /mnt/data/dev/xray-16/src/xrGame/ai/stalker/ai_stalker_events.cpp:26
    #20 0x7fffe1910c41 in CLevel::cl_Process_Event(unsigned short, unsigned short, NET_Packet&) /mnt/data/dev/xray-16/src/xrGame/Level.cpp:276
    #21 0x7fffe19151a5 in CLevel::ProcessGameEvents() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:333
    #22 0x7fffe191adf8 in CLevel::OnFrame() /mnt/data/dev/xray-16/src/xrGame/Level.cpp:447
    #23 0x7fffd16df9ac in pureFrame::OnPure(pureFrame*) /mnt/data/dev/xray-16/src/xrEngine/pure.h:18
    #24 0x7fffd16df9ac in MessageRegistry<pureFrame>::Process() /mnt/data/dev/xray-16/src/xrEngine/pure.h:101
    #25 0x7fffd16cecd7 in CRenderDevice::FrameMove() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:484
    #26 0x7fffd16cf36b in CRenderDevice::ProcessFrame() /mnt/data/dev/xray-16/src/xrEngine/device.cpp:270
    #27 0x7fffd168472e in CApplication::Run() /mnt/data/dev/xray-16/src/xrEngine/x_ray.cpp:433
    #28 0x55555555b4d5 in entry_point(char const*) /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:53
    #29 0x55555555b8ed in main /mnt/data/dev/xray-16/src/xr_3da/entry_point.cpp:105
    #30 0x7fffcf027b8a  (/usr/lib/libc.so.6+0x27b8a) (BuildId: 3fb5bf3586fec17ba65a16ec9a3132455897d306)
    #31 0x7fffffffd4a3  ([stack]+0x784a3)

SUMMARY: AddressSanitizer: heap-use-after-free /mnt/data/dev/xray-16/Externals/ode/include/ode/odemath.h:52 in dDOT(float const*, float const*)
Shadow bytes around the buggy address:
  0x7d2fcb258e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7d2fcb258f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7d2fcb258f80: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x7d2fcb259000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x7d2fcb259080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x7d2fcb259100: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x7d2fcb259180: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7d2fcb259200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7d2fcb259280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7d2fcb259300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7d2fcb259380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

Happend while playing CS

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

use-after-free in `CPHContactBodyEffector::Apply()` #1978

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

use-after-free in CPHContactBodyEffector::Apply() #1978

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

use-after-free in `CPHContactBodyEffector::Apply()` #1978