bingehack4
bingehack4 copied to clipboard
Published
20 hours ago •
ComputerScienceHouse
ComputerScienceHouse
Writing Elbereth's name and walking around it segfaults the game
This is a bug that exists in both bingehack4 and our upstream nethack4. It appears to be due to a flaw in the pline/vpline code.
Bingehack4 commit: 85dbdba39459cb83fc0010010daed47a86718c2b
Nethack4 commit: cb7da80ab47cfe158b0a32b7e47f36b2ab6c529b
It can be reproduced with the following steps:
- Create a new (or load an existing game)
- Write Elbereth's name 50 times
50^e - Move to an adjacent space
- Write Elbereth's name 50 times
50^e - Move back and forth between the two spaces (I usually experience a segfault around the 7th move)
The stacktrace of the segfault itself isn't particularly interesting. It just occurs when histevents[0] is out of range. However the stacktrace of where histcount is changed to an unrealistic value is fairly interesting. Here's the stacktrace of that situation where histcount changed from 54 to 1164473445 (in the original game that I found this issue during).
#0 0x00007f414c171b3e in __strcpy_ssse3 () from /usr/lib/libc.so.6
#1 0x00007f414e5b83d2 in vpline (nonblocking=nonblocking@entry=0 '\000', norepeat=norepeat@entry=0 '\000',
line=0x562f4a103c90 "You read: \"Elbe? ??E||er? nF||cretnEl|? et?Llbcre?nE|b rethv|be?eth_lberethEl e?ct\\ElUerc+h|l erc?h|l|?reth4|berethL?? rcth?l|e?e??Elbere?h||bc?e?hElberTth[|ber?thElbereth l|e(e?nEl crcthE|b?rethFlb7r"..., line@entry=0x7f414e6b63bd "You %s: \"%s\".", the_args=the_args@entry=0x7ffea3a8e8e0) at /home/loothelion/repos/bingehack4/libnethack/src/pline.c:99
#2 0x00007f414e5b84d0 in pline (line=line@entry=0x7f414e6b63bd "You %s: \"%s\".") at /home/loothelion/repos/bingehack4/libnethack/src/pline.c:33
#3 0x00007f414e5ee15a in read_engr_at (x=37, y=13) at /home/loothelion/repos/bingehack4/libnethack/src/engrave.c:376
#4 0x00007f414e56bbb5 in look_here (obj_cnt=8, picked_some=<optimized out>, show_weight=show_weight@entry=0 '\000', feeling=0 '\000') at /home/loothelion/repos/bingehack4/libnethack/src/invent.c:2004
#5 0x00007f414e5a7396 in check_here (picked_some=<optimized out>) at /home/loothelion/repos/bingehack4/libnethack/src/pickup.c:71
#6 0x00007f414e5aa35d in pickup (what=what@entry=1, uim=<optimized out>) at /home/loothelion/repos/bingehack4/libnethack/src/pickup.c:292
#7 0x00007f414e578bbe in spoteffects (pick=<optimized out>, pick@entry=1 '\001') at /home/loothelion/repos/bingehack4/libnethack/src/hack.c:2349
#8 0x00007f414e57ce7f in domove (arg=<optimized out>, uim=<optimized out>, thismove=<optimized out>) at /home/loothelion/repos/bingehack4/libnethack/src/hack.c:2241
#9 0x00007f414e54c555 in do_command (command=<optimized out>, command@entry=79, arg=arg@entry=0x7ffea3a8ed18) at /home/loothelion/repos/bingehack4/libnethack/src/cmd.c:1663
#10 0x00007f414e5425bb in command_input (cmdidx=cmdidx@entry=79, arg=arg@entry=0x7ffea3a8ed18) at /home/loothelion/repos/bingehack4/libnethack/src/allmain.c:1402
#11 0x00007f414e546b46 in nh_play_game (fd=fd@entry=6, followmode=<optimized out>, followmode@entry=FM_PLAY) at /home/loothelion/repos/bingehack4/libnethack/src/allmain.c:660
#12 0x00007f414d31317d in nhnet_play_game (gid=6, followmode=FM_PLAY) at /home/loothelion/repos/bingehack4/libnethack_client/src/clientapi.c:158
#13 0x0000562f47ffc52c in playgame (fd_or_gameno=6, followmode=<optimized out>) at /home/loothelion/repos/bingehack4/nethack/src/rungame.c:758
#14 0x0000562f47ffcfb4 in loadgame () at /home/loothelion/repos/bingehack4/nethack/src/rungame.c:732
#15 0x0000562f47fec92a in mainmenu () at /home/loothelion/repos/bingehack4/nethack/src/main.c:303
#16 main (argc=<optimized out>, argv=<optimized out>) at /home/loothelion/repos/bingehack4/nethack/src/main.c:367
