Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow #73

Open
ArthurSonzogni opened this issue Jan 29, 2023 · 2 comments
Open

AddressSanitizer: heap-buffer-overflow #73

ArthurSonzogni opened this issue Jan 29, 2023 · 2 comments

Comments

@ArthurSonzogni
Copy link
Contributor

I updated libnyquist.

On 59e4be4, I got this error with ASAN:

==166518==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c000007836 at pc 0x55dc58b8b808 bp 0x7fff7ece96c0 sp 0x7fff7ece96b0
READ of size 2 at 0x62c000007836 thread T0
    #0 0x55dc58b8b807 in nqr::ScanForChunk(std::vector<unsigned char, std::allocator<unsigned char> > const&, unsigned int) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/include/libnyquist/Common.h:587
    #1 0x55dc58b8a652 in nqr::WavDecoder::LoadFromBuffer(nqr::AudioData*, std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/WavDecoder.cpp:269
    #2 0x55dc58b896d5 in nqr::WavDecoder::LoadFromPath(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/WavDecoder.cpp:143
    #3 0x55dc588c8ed0 in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/Common.cpp:47
    #4 0x55dc58647fe4 in smk::SoundBuffer::SoundBuffer(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/smk-src/src/smk/SoundBuffer.cpp:35
    #5 0x55dc58439e5e in term_breaker::LoadResources() /home/arthursonzogni/programmation/real/termRider/src/resources.cpp:83
    #6 0x55dc583dd2da in term_breaker::StartGame() /home/arthursonzogni/programmation/real/termRider/src/game.cpp:142
    #7 0x55dc583d85d5 in main /home/arthursonzogni/programmation/real/termRider/src/main.cpp:5
    #8 0x7fe06482350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7fe0648235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #10 0x55dc583d8504 in _start (/home/arthursonzogni/programmation/real/termRider/build/termBreaker+0x276504)

0x62c000007836 is located 0 bytes to the right of 30262-byte region [0x62c000000200,0x62c000007836)
allocated by thread T0 here:
    #0 0x7fe065ac0488 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x55dc588ded09 in std::__new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137
    #2 0x55dc588dd3ff in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464
    #3 0x55dc588daf7b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/12/bits/stl_vector.h:378
    #4 0x55dc588d7d2e in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/12/bits/stl_vector.h:395
    #5 0x55dc588d431e in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/12/bits/stl_vector.h:332
    #6 0x55dc588d13c0 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) (/home/arthursonzogni/programmation/real/termRider/build/termBreaker+0x76f3c0)
    #7 0x55dc588cb2aa in nqr::ReadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/Common.cpp:210
    #8 0x55dc58b896b8 in nqr::WavDecoder::LoadFromPath(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/WavDecoder.cpp:142
    #9 0x55dc588c8ed0 in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/libnyquist-src/src/Common.cpp:47
    #10 0x55dc58647fe4 in smk::SoundBuffer::SoundBuffer(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/arthursonzogni/programmation/real/termRider/build/_deps/smk-src/src/smk/SoundBuffer.cpp:35
    #11 0x55dc58439e5e in term_breaker::LoadResources() /home/arthursonzogni/programmation/real/termRider/src/resources.cpp:83
    #12 0x55dc583dd2da in term_breaker::StartGame() /home/arthursonzogni/programmation/real/termRider/src/game.cpp:142
    #13 0x55dc583d85d5 in main /home/arthursonzogni/programmation/real/termRider/src/main.cpp:5
    #14 0x7fe06482350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
@ArthurSonzogni
Copy link
Contributor Author

Some undefined behavior:

/home/arthursonzogni/programmation/real/smk/build/_deps/libnyquist-src/third_party/libogg/src/framing.c:678:31: runtime error: applying zero offset to null pointer
/home/arthursonzogni/programmation/real/smk/build/_deps/libnyquist-src/third_party/libogg/src/bitwise.c:397:23: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
/home/arthursonzogni/programmation/real/smk/build/_deps/libnyquist-src/third_party/libogg/src/bitwise.c:399:25: runtime error: left shift of 14 by 28 places cannot be represented in type 'int'
/home/arthursonzogni/programmation/real/smk/build/_deps/libnyquist-src/third_party/libvorbis/src/sharedbook.c:410:30: runtime error: left shift of 16 by 27 places cannot be represented in type 'int'

@ArthurSonzogni
Copy link
Contributor Author

I got more info. This happens when opening this file:
bounce.zip

ArthurSonzogni added a commit to ArthurSonzogni/smk that referenced this issue Jan 29, 2023
@ArthurSonzogni
Downgrade libnyquist
d8604bd 
We have the chain of dependencies:
Termbreaker > smk > libnyquist

One of the sounds of TermBreaker fails to load with recent version of
libnyquist.

There is still a heap buffer overflow, but it doesn't break the same
way.

See: ddiakopoulos/libnyquist#73
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArthurSonzogni