CAVEPACKER: AddressSanitizer heap-buffer-overflow in BoardState

[ghost]

INFO: 2015/09/26-12:09:43 pushwindow => map
INFO: 2015/09/26-12:09:43 activewindow => map
INFO: 2015/09/26-12:09:43 mapload => tutorial0003
INFO: (LOG_CLIENT): load map tutorial0003
INFO: (LOG_CLIENT): client map reset
INFO: (LOG_SERVER): spawn client 1
ERROR: (LOG_MAP): no player found for the client id 1
INFO: (LOG_SERVER): init player 125
ERROR: (LOG_UI): could not get the node with the id seconds from window map
ERROR: (LOG_UI): could not get the node with the id seconds from window map
INFO: (LOG_CLIENT): init client map for player 125
INFO: (LOG_SERVER): spawned player 125
INFO: (LOG_UI): got best points from server: 0
INFO: (LOG_CAMPAIGN): campaign tutorial last map time: 0
WARN: (LOG_CLIENT): could not find entity with the id 125 in updateEntity
INFO: (LOG_CLIENT): client map start
INFO: (LOG_UI): Display text 'tutorial0003' for 3000 ms
1443262210979   addons.xpi  WARN    Attempting to activate an already active default theme
1443262210980   addons.xpi  WARN    Attempting to activate an already active default theme
INFO: (LOG_SERVER): move player 125 from 6:2 to 16:-2
=================================================================
==6172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070001d94ca at pc 0x5ed223 bp 0x7ffd6a76a970 sp 0x7ffd6a76a960
READ of size 1 at 0x6070001d94ca thread T0
    #0 0x5ed222 in cavepacker::BoardState::getColRowFromIndex(int, int&, int&) const /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/BoardState.h:109
    #1 0x5e0eff in cavepacker::Map::isAt(cavepacker::IEntity*, int) const /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/Map.cpp:245
    #2 0x618ee6 in cavepacker::Player::update(unsigned int) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/entities/Player.cpp:26
    #3 0x5e7e47 in cavepacker::Map::visitEntity(cavepacker::IEntity*) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/Map.cpp:874
    #4 0x5e9fdb in cavepacker::Map::visitEntities(cavepacker::IEntityVisitor*, EntityType const&) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/Map.cpp:1023
    #5 0x5e8d5e in cavepacker::Map::update(unsigned int) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/Map.cpp:936
    #6 0x5b81c7 in cavepacker::CavePacker::update(unsigned int) /home/mgerhardy/dev/caveexpress/src/cavepacker/main/CavePacker.cpp:119
    #7 0x64816f in SDLBackend::runFrame() /home/mgerhardy/dev/caveexpress/src/modules/server/SDLBackend.cpp:319
    #8 0x648cd9 in SDLBackend::mainLoop(int, char**) /home/mgerhardy/dev/caveexpress/src/modules/server/SDLBackend.cpp:362
    #9 0x5ddcf2 in main /home/mgerhardy/dev/caveexpress/src/Main.cpp:28
    #10 0x7f77c1321ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #11 0x5911e8 (/home/mgerhardy/dev/caveexpress/cavepacker+0x5911e8)

0x6070001d94ca is located 6 bytes to the left of 66-byte region [0x6070001d94d0,0x6070001d9512)
allocated by thread T0 here:
    #0 0x7f77c417413f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
    #1 0x610d8e in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
    #2 0x610b43 in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
    #3 0x610201 in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) (/home/mgerhardy/dev/caveexpress/cavepacker+0x610201)
    #4 0x60fb37 in std::_Vector_base<char, std::allocator<char> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
    #5 0x60f2c3 in std::_Vector_base<char, std::allocator<char> >::_Vector_base(unsigned long, std::allocator<char> const&) /usr/include/c++/4.9/bits/stl_vector.h:136
    #6 0x60fda2 in std::vector<char, std::allocator<char> >::vector(unsigned long, char const&, std::allocator<char> const&) /usr/include/c++/4.9/bits/stl_vector.h:291
    #7 0x60f3d8 in std::vector<char, std::allocator<char> >::_M_fill_assign(unsigned long, char const&) /usr/include/c++/4.9/bits/vector.tcc:230
    #8 0x60ef8c in std::vector<char, std::allocator<char> >::assign(unsigned long, char const&) (/home/mgerhardy/dev/caveexpress/cavepacker+0x60ef8c)
    #9 0x60d7a0 in cavepacker::BoardState::setSize(int, int) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/BoardState.cpp:29
    #10 0x5e3f8a in cavepacker::Map::load(std::string const&) /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/Map.cpp:536
    #11 0x5b8e00 in cavepacker::CavePacker::mapLoad(std::string const&) /home/mgerhardy/dev/caveexpress/src/cavepacker/main/CavePacker.cpp:198
    #12 0x64ac37 in SDLBackend::loadMap(std::string const&) /home/mgerhardy/dev/caveexpress/src/modules/server/SDLBackend.cpp:540
    #13 0x660d41 in CommandFunctor<SDLBackend>::run(std::vector<String, std::allocator<String> > const&) /home/mgerhardy/dev/caveexpress/src/modules/common/ICommand.h:126
    #14 0x7f8710 in CommandSystem::executeCommand(std::string const&, std::vector<String, std::allocator<String> >) const /home/mgerhardy/dev/caveexpress/src/modules/common/CommandSystem.cpp:92
    #15 0x7f835d in CommandSystem::executeCommandLine(std::string const&) const /home/mgerhardy/dev/caveexpress/src/modules/common/CommandSystem.cpp:77
    #16 0x7aa119 in CampaignManager::startMap(std::string const&) /home/mgerhardy/dev/caveexpress/src/modules/campaign/CampaignManager.cpp:412
    #17 0x7a9f98 in CampaignManager::continuePlay() /home/mgerhardy/dev/caveexpress/src/modules/campaign/CampaignManager.cpp:394
    #18 0x7144ff in ContinuePlayNodeListener::onClick() /home/mgerhardy/dev/caveexpress/src/modules/ui/windows/main/ContinuePlayNodeListener.h:34
    #19 0x6e6229 in UINode::execute() /home/mgerhardy/dev/caveexpress/src/modules/ui/nodes/UINode.cpp:918
    #20 0x6e5df7 in UINode::onMouseLeftRelease(int, int) /home/mgerhardy/dev/caveexpress/src/modules/ui/nodes/UINode.cpp:899
    #21 0x6e49f8 in UINode::onMouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/ui/nodes/UINode.cpp:806
    #22 0x6e483f in UINode::onMouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/ui/nodes/UINode.cpp:798
    #23 0x6e483f in UINode::onMouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/ui/nodes/UINode.cpp:798
    #24 0x71f1e9 in UIWindow::onMouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/ui/windows/UIWindow.cpp:150
    #25 0x6bdc8b in UI::onMouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/ui/UI.cpp:476
    #26 0x7d3ed7 in EventHandler::mouseButtonRelease(int, int, unsigned char) /home/mgerhardy/dev/caveexpress/src/modules/common/EventHandler.cpp:303
    #27 0x7d0854 in EventHandler::handleEvent(SDL_Event&) /home/mgerhardy/dev/caveexpress/src/modules/common/EventHandler.cpp:74
    #28 0x6454ec in SDLBackend::handleEvent(SDL_Event&) /home/mgerhardy/dev/caveexpress/src/modules/server/SDLBackend.cpp:108
    #29 0x647b3a in SDLBackend::runFrame() /home/mgerhardy/dev/caveexpress/src/modules/server/SDLBackend.cpp:301

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mgerhardy/dev/caveexpress/src/cavepacker/server/map/BoardState.h:109 cavepacker::BoardState::getColRowFromIndex(int, int&, int&) const
Shadow bytes around the buggy address:
  0x0c0e80033240: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e80033250: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e80033260: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e80033270: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
  0x0c0e80033280: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x0c0e80033290: fd fd fd fd fd fa fa fa fa[fa]00 00 00 00 00 00
  0x0c0e800332a0: 00 00 02 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e800332b0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e800332c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e800332d0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e800332e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==6172==ABORTING

[ghost]

see e4753fc - I found no way to reproduce this.

[mgerhardy]

got this on in tutorial 1 map of cavepacker while undoing without ever doing a step to undo.

INFO: (LOG_UI): Display text 'tutorial0001' for 3000 ms
INFO: (LOG_SERVER): move player 28 from 1:1 to 10:-2
=================================================================
==7129== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006002af968 at pc 0x5cd1a0 bp 0x7fffc9715af0 sp 0x7fffc9715ae8
READ of size 1 at 0x6006002af968 thread T0
    #0 0x5cd19f (/home/mattn/dev/caveexpress/cavepacker+0x5cd19f)
    #1 0x5c4023 (/home/mattn/dev/caveexpress/cavepacker+0x5c4023)
    #2 0x5ecaa8 (/home/mattn/dev/caveexpress/cavepacker+0x5ecaa8)
    #3 0x5c9174 (/home/mattn/dev/caveexpress/cavepacker+0x5c9174)
    #4 0x5ca9ce (/home/mattn/dev/caveexpress/cavepacker+0x5ca9ce)
    #5 0x5c9c66 (/home/mattn/dev/caveexpress/cavepacker+0x5c9c66)
    #6 0x5a5290 (/home/mattn/dev/caveexpress/cavepacker+0x5a5290)
    #7 0x6107c5 (/home/mattn/dev/caveexpress/cavepacker+0x6107c5)
    #8 0x610eb5 (/home/mattn/dev/caveexpress/cavepacker+0x610eb5)
    #9 0x5c17e0 (/home/mattn/dev/caveexpress/cavepacker+0x5c17e0)
    #10 0x7f34c70edec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #11 0x57e7e8 (/home/mattn/dev/caveexpress/cavepacker+0x57e7e8)
0x6006002af968 is located 8 bytes to the left of 27-byte region [0x6006002af970,0x6006002af98b)
allocated by thread T0 here:
    #0 0x7f34c8d9581a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1181a)
    #1 0x5e663c (/home/mattn/dev/caveexpress/cavepacker+0x5e663c)
    #2 0x5e620e (/home/mattn/dev/caveexpress/cavepacker+0x5e620e)
    #3 0x5e5c6a (/home/mattn/dev/caveexpress/cavepacker+0x5e5c6a)
    #4 0x5e56c5 (/home/mattn/dev/caveexpress/cavepacker+0x5e56c5)
    #5 0x5e5dd0 (/home/mattn/dev/caveexpress/cavepacker+0x5e5dd0)
    #6 0x5e5782 (/home/mattn/dev/caveexpress/cavepacker+0x5e5782)
    #7 0x5e548e (/home/mattn/dev/caveexpress/cavepacker+0x5e548e)
    #8 0x5e42be (/home/mattn/dev/caveexpress/cavepacker+0x5e42be)
    #9 0x5c63d5 (/home/mattn/dev/caveexpress/cavepacker+0x5c63d5)
    #10 0x5a5c24 (/home/mattn/dev/caveexpress/cavepacker+0x5a5c24)
    #11 0x6122f3 (/home/mattn/dev/caveexpress/cavepacker+0x6122f3)
    #12 0x622924 (/home/mattn/dev/caveexpress/cavepacker+0x622924)
    #13 0x749574 (/home/mattn/dev/caveexpress/cavepacker+0x749574)
    #14 0x7492e5 (/home/mattn/dev/caveexpress/cavepacker+0x7492e5)
    #15 0x710cfd (/home/mattn/dev/caveexpress/cavepacker+0x710cfd)
    #16 0x6b6525 (/home/mattn/dev/caveexpress/cavepacker+0x6b6525)
    #17 0x6bc503 (/home/mattn/dev/caveexpress/cavepacker+0x6bc503)
    #18 0x6bbe33 (/home/mattn/dev/caveexpress/cavepacker+0x6bbe33)
    #19 0x683b7c (/home/mattn/dev/caveexpress/cavepacker+0x683b7c)
    #20 0x683a1f (/home/mattn/dev/caveexpress/cavepacker+0x683a1f)
    #21 0x6ae99d (/home/mattn/dev/caveexpress/cavepacker+0x6ae99d)
    #22 0x667416 (/home/mattn/dev/caveexpress/cavepacker+0x667416)
    #23 0x730997 (/home/mattn/dev/caveexpress/cavepacker+0x730997)
    #24 0x72e5e3 (/home/mattn/dev/caveexpress/cavepacker+0x72e5e3)
    #25 0x60e75d (/home/mattn/dev/caveexpress/cavepacker+0x60e75d)
    #26 0x6102e4 (/home/mattn/dev/caveexpress/cavepacker+0x6102e4)
    #27 0x610eb5 (/home/mattn/dev/caveexpress/cavepacker+0x610eb5)
    #28 0x5c17e0 (/home/mattn/dev/caveexpress/cavepacker+0x5c17e0)
    #29 0x7f34c70edec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
  0x0c014004ded0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c014004dee0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c014004def0: fa fa fd fd fd fd fa fa 00 00 00 05 fa fa fd fd
  0x0c014004df00: fd fd fa fa fd fd fd fd fa fa 00 00 00 02 fa fa
  0x0c014004df10: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
=>0x0c014004df20: fa fa fd fd fd fd fa fa fd fd fd fd fa[fa]00 00
  0x0c014004df30: 00 03 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c014004df40: fd fd fd fd fa fa 00 00 00 02 fa fa 00 00 00 02
  0x0c014004df50: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c014004df60: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c014004df70: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7129== ABORTING