FreedroidClassic
FreedroidClassic copied to clipboard
Published
20 hours ago •
ReinhardPrix
ReinhardPrix
editor: crash when reducing map level size drastically
When I try to reduce a level size to 0, the game shuts down with:
Game starts using theme: lanzz
Found highscore file '/home/matthias/.freedroidClassic/highscores'
==6816==AddressSanitizer: WARNING: unexpected format specifier in printf interceptor: %z (reported once per process)
Failed to re-allocate to % bytes in map row 0
----------------------------------------------------------------------
Termination of Freedroid initiated...Thank you for playing Freedroid.
When I reduce the map to still a few tiles, and exit the editor, I get a crash like
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7110==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000003912d6 bp 0x7ffead31aaf0 sp 0x7ffead31aaa0 T0)
==7110==The signal is caused by a WRITE memory access.
==7110==Hint: address points to the zero page.
#0 0x3912d5 in AnimateRefresh /tmp/FreedroidClassic/src/map.c
#1 0x38ec80 in main /tmp/FreedroidClassic/src/main.c:132:4
#2 0x7f6fbb9b4222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#3 0x27002d in _start (/tmp/FreedroidClassic/src/freedroid+0x27002d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/FreedroidClassic/src/map.c in AnimateRefresh
or
Found highscore file '/home/matthias/.freedroidClassic/highscores'
=================================================================
==6995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000034764 at pc 0x000000391346 bp 0x7ffeeec92c50 sp 0x7ffeeec92c48
WRITE of size 1 at 0x603000034764 thread T0
#0 0x391345 in AnimateRefresh /tmp/FreedroidClassic/src/map.c:218:27
#1 0x38ec80 in main /tmp/FreedroidClassic/src/main.c:132:4
#2 0x7fb931735222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#3 0x27002d in _start (/tmp/FreedroidClassic/src/freedroid+0x27002d)
0x603000034764 is located 3 bytes to the right of 17-byte region [0x603000034750,0x603000034761)
allocated by thread T0 here:
#0 0x313482 in __interceptor_realloc /home/matthias/LLVM/LLVM6/stage_2/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
#1 0x39e7cf in handle_LE_SizeX /tmp/FreedroidClassic/src/menu.c:525:28
#2 0x3a3191 in ShowMenu /tmp/FreedroidClassic/src/menu.c:917:13
#3 0x3a3457 in showLevelEditorMenu /tmp/FreedroidClassic/src/menu.c:703:3
#4 0x3884eb in LevelEditor /tmp/FreedroidClassic/src/level_editor.c:232:2
#5 0x3a0252 in handle_OpenLevelEditor /tmp/FreedroidClassic/src/menu.c:465:5
#6 0x3a31f5 in ShowMenu /tmp/FreedroidClassic/src/menu.c:901:13
#7 0x3a278d in showMainMenu /tmp/FreedroidClassic/src/menu.c:695:3
#8 0x37eac9 in ReactToSpecialKeys /tmp/FreedroidClassic/src/input.c:370:5
#9 0x38ec47 in main /tmp/FreedroidClassic/src/main.c:125:4
#10 0x7fb931735222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/FreedroidClassic/src/map.c:218:27 in AnimateRefresh
Shadow bytes around the buggy address:
0x0c067fffe890: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fffe8a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fffe8b0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c067fffe8c0: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
0x0c067fffe8d0: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
=>0x0c067fffe8e0: 01 fa fa fa 00 00 01 fa fa fa 00 00[01]fa fa fa
0x0c067fffe8f0: 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00 01 fa
0x0c067fffe900: fa fa 00 00 01 fa fa fa 00 00 01 fa fa fa 00 00
0x0c067fffe910: 01 fa fa fa 00 00 01 fa fa fa fd fd fd fa fa fa
0x0c067fffe920: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
0x0c067fffe930: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
We had similar problems in FreedroidRPG as well where blindly reducing map size (while there was stuff on it) would result in segfaults or buffer problems etc.
