Skip to content
This repository has been archived by the owner on May 13, 2024. It is now read-only.

Pixelflood 3 – Server-Sent Client-Side Mayhem: Sending overalloc.bmp from server segfaults client upon connection #68

Closed
erlehmann opened this issue Sep 14, 2021 · 0 comments · Fixed by #72
Closed

Pixelflood 3 – Server-Sent Client-Side Mayhem: Sending overalloc.bmp from server segfaults client upon connection #68

erlehmann opened this issue Sep 14, 2021 · 0 comments · Fixed by #72

Comments

@erlehmann
Copy link

Minetest version

Minetest commit 719a12e with irrlichtmt commit 594de99

OS / Hardware

Operating system: GNU/Linux
CPU: 64-bit intel

Summary

I stole a 165 byte BMP image of size 1111498827×1083981 from here: image-rs/image#622

lib/irrlichtmt/source/Irrlicht/CColorConverter.cpp:22:16: runtime error: signed integer overflow: 1111498827 * 1083981 cannot be represented in type 'int'
    #0 0x1fa7286 in irr::video::CColorConverter::convert1BitTo16Bit(unsigned char const*, short*, int, int, int, bool) (bin/minetest+0x1fa7286)
    minetest/minetest#1 0x1fd1212 in irr::video::CImageLoaderBMP::loadImage(irr::io::IReadFile*) const (bin/minetest+0x1fd1212)
    minetest/minetest#2 0x1ec1f1e in irr::video::CNullDriver::createImagesFromFile(irr::io::IReadFile*, irr::video::E_TEXTURE_TYPE*) (bin/minetest+0x1ec1f1e)
    minetest/minetest#3 0xba5954 in irr::video::IVideoDriver::createImageFromFile(irr::io::IReadFile*) (bin/minetest+0xba5954)
    minetest/minetest#4 0xb8b9ca in Client::loadMedia(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (bin/minetest+0xb8b9ca)
    minetest/minetest#5 0xc91f29 in ClientMediaDownloader::loadMedia(Client*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (bin/minetest+0xc91f29)
    minetest/minetest#6 0xc9934c in IClientMediaDownloader::checkAndLoad(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, Client*) (bin/minetest+0xc9934c)
    minetest/minetest#7 0xc9af55 in ClientMediaDownloader::conventionalTransferDone(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Client*) (bin/minetest+0xc9af55)
    minetest/minetest#8 0x142e519 in Client::handleCommand_Media(NetworkPacket*) (bin/minetest+0x142e519)
    minetest/minetest#9 0xba6ea0 in Client::handleCommand(NetworkPacket*) (bin/minetest+0xba6ea0)
    minetest/minetest#10 0xb8e3f8 in Client::ProcessData(NetworkPacket*) (bin/minetest+0xb8e3f8)
    minetest/minetest#11 0xb88968 in Client::ReceiveAll() (bin/minetest+0xb88968)
    minetest/minetest#12 0xb84457 in Client::step(float) (bin/minetest+0xb84457)
    minetest/minetest#13 0xd70c90 in Game::getServerContent(bool*) (bin/minetest+0xd70c90)
    minetest/minetest#14 0xd56ce4 in Game::createClient(GameStartData const&) (bin/minetest+0xd56ce4)
    minetest/minetest#15 0xd56559 in Game::startup(bool*, InputHandler*, RenderingEngine*, GameStartData const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool*, ChatBackend*) (bin/minetest+0xd56559)
    minetest/minetest#16 0xd9a1b1 in the_game(bool*, InputHandler*, RenderingEngine*, GameStartData const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, ChatBackend&, bool*) (bin/minetest+0xd9a1b1)
    minetest/minetest#17 0xc2e1cf in ClientLauncher::run(GameStartData&, Settings const&) (bin/minetest+0xc2e1cf)
    minetest/minetest#18 0x1a4d78b in main (bin/minetest+0x1a4d78b)
    minetest/minetest#19 0x7f512455409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    minetest/minetest#20 0xb06d69 in _start (bin/minetest+0xb06d69)

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==25512==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7f4d9c6b9898 (pc 0x000001fa75da bp 0x7ffc178c0910 sp 0x7ffc178c0720 T25512)
==25512==The signal is caused by a WRITE memory access.
    #0 0x1fa75d9 in irr::video::CColorConverter::convert1BitTo16Bit(unsigned char const*, short*, int, int, int, bool) (bin/minetest+0x1fa75d9)
    minetest/minetest#1 0x1fd1212 in irr::video::CImageLoaderBMP::loadImage(irr::io::IReadFile*) const (bin/minetest+0x1fd1212)
    minetest/minetest#2 0x1ec1f1e in irr::video::CNullDriver::createImagesFromFile(irr::io::IReadFile*, irr::video::E_TEXTURE_TYPE*) (bin/minetest+0x1ec1f1e)
    minetest/minetest#3 0xba5954 in irr::video::IVideoDriver::createImageFromFile(irr::io::IReadFile*) (bin/minetest+0xba5954)
    minetest/minetest#4 0xb8b9ca in Client::loadMedia(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (bin/minetest+0xb8b9ca)
    minetest/minetest#5 0xc91f29 in ClientMediaDownloader::loadMedia(Client*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (bin/minetest+0xc91f29)
    minetest/minetest#6 0xc9934c in IClientMediaDownloader::checkAndLoad(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, Client*) (bin/minetest+0xc9934c)
    minetest/minetest#7 0xc9af55 in ClientMediaDownloader::conventionalTransferDone(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Client*) (bin/minetest+0xc9af55)
    minetest/minetest#8 0x142e519 in Client::handleCommand_Media(NetworkPacket*) (bin/minetest+0x142e519)
    minetest/minetest#9 0xba6ea0 in Client::handleCommand(NetworkPacket*) (bin/minetest+0xba6ea0)
    minetest/minetest#10 0xb8e3f8 in Client::ProcessData(NetworkPacket*) (bin/minetest+0xb8e3f8)
    minetest/minetest#11 0xb88968 in Client::ReceiveAll() (bin/minetest+0xb88968)
    minetest/minetest#12 0xb84457 in Client::step(float) (bin/minetest+0xb84457)
    minetest/minetest#13 0xd70c90 in Game::getServerContent(bool*) (bin/minetest+0xd70c90)
    minetest/minetest#14 0xd56ce4 in Game::createClient(GameStartData const&) (bin/minetest+0xd56ce4)
    minetest/minetest#15 0xd56559 in Game::startup(bool*, InputHandler*, RenderingEngine*, GameStartData const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool*, ChatBackend*) (bin/minetest+0xd56559)
    minetest/minetest#16 0xd9a1b1 in the_game(bool*, InputHandler*, RenderingEngine*, GameStartData const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, ChatBackend&, bool*) (bin/minetest+0xd9a1b1)
    minetest/minetest#17 0xc2e1cf in ClientLauncher::run(GameStartData&, Settings const&) (bin/minetest+0xc2e1cf)
    minetest/minetest#18 0x1a4d78b in main (bin/minetest+0x1a4d78b)
    minetest/minetest#19 0x7f512455409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    minetest/minetest#20 0xb06d69 in _start (bin/minetest+0xb06d69)

UndefinedBehaviorSanitizer can not provide additional info.
==25512==ABORTING
# exited 1
Steps to reproduce
  1. Install attached mod on server.
  2. Connect to server that runs it.
  3. Observe a client segfaulting.

pixelflood3.zip
@sfan5 sfan5 transferred this issue from minetest/minetest Sep 14, 2021
@sfan5 sfan5 mentioned this issue Sep 30, 2021
Merged
@sfan5 sfan5 closed this as completed in #72 Oct 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Limit dimensions of all image loaders to 23000x23000 minetest/irrlicht
1 participant
@erlehmann