android-basic-samples icon indicating copy to clipboard operation
android-basic-samples copied to clipboard
verified publisher icon playgameservices

GameServices::Builder::Create() does an invalid free() operation.

Open stolk opened this issue 6 years ago • 1 comments

I am using the clang Address Sanitizer on my NDK-based Android app.

My android app uses: gpg-cpp-sdk_3.0.1

The address sanitizer caught a bug in GameServices::Builder::Create() where it frees an address that was never malloc()-ed.

Please double-check the implementation of Create() for free() operations that are not correct.

It triggers in my app the very first time I call Create().

2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy V/GamesNativeSDK: Using classes from /data/user/0/com.steenriver.buggy/app_.gpg.classloader/f4e1c1b7d8b3c0b3cf00b4afea4884b6_games.jar.
2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: =================================================================
2019-09-17 11:27:45.076 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: ==10934==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0xe2f9af80 in thread T1
2019-09-17 11:27:45.089 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #0 0xcce622c3  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xd32c3)
2019-09-17 11:27:45.089 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #1 0xcc4df277  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x252277)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #2 0xcc48b1f0  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1fe1f0)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #3 0xcc48ba27  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1fea27)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #4 0xcc484b28  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1f7b28)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #5 0xcc4c5946  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x238946)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #6 0xcc4222d5  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x1952d5)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #7 0xcc417735  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x18a735)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #8 0xcc5ca4f5  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33d4f5)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #9 0xcce6d7b2  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xde7b2)
2019-09-17 11:27:45.090 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #10 0xcce50be7  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xc1be7)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #11 0xe9690065  (/system/lib/libc.so+0x8f065)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #12 0xe962585b  (/system/lib/libc.so+0x2485b)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: Address 0xe2f9af80 is a wild pointer.
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: SUMMARY: AddressSanitizer: bad-free (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xd32c3) 
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: Thread T1 created by T0 here:
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #0 0xcce50a89  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libclang_rt.asan-i686-android.so+0xc1a89)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #1 0xcc5c9d55  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33cd55)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #2 0xcc5c937d  (/data/app/com.steenriver.buggy-PIwTBVM7jR0JKx-F78eRqg==/lib/x86/libbuggy.so+0x33c37d)
2019-09-17 11:27:45.091 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #3 0xe91756d2  (/system/lib/libandroid_runtime.so+0x826d2)
2019-09-17 11:27:45.092 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #4 0x72b5794f  (/system/framework/x86/boot-framework.oat+0x3e794f)
2019-09-17 11:27:45.099 10934-11006/com.steenriver.buggy I/com.steenriver.buggy:     #5 0x711d19c7  (/data/dalvik-cache/x86/system@[email protected]+0x70c9c7)
2019-09-17 11:27:45.100 10934-11006/com.steenriver.buggy I/com.steenriver.buggy: ==10934==ABORTING

My app's code:

	// Players().FetchSelf() response
	auto pcallback = [&]( gpg::PlayerManager::FetchSelfResponse const& response )
	{
		if ( gpg::IsSuccess( response.status ) )
		{
			self_id_ = response.data.Id();
			const std::string& url = response.data.AvatarUrl( gpg::ImageResolution::ICON );
			LOGI( "Our self id = %s", self_id_.c_str() );
			LOGI( "Our url = %s", url.c_str() );
			DownloadAvatar( url, 4 );
		}
	};
	// AuthActionStarted callback
	auto scallback = [started_callback]( gpg::AuthOperation op )
	{
		is_auth_in_progress_ = true;
		if ( started_callback != nullptr ) started_callback( op );
	};
	// AuthActionFinished callback
	auto fcallback = [finished_callback, pcallback]( gpg::AuthOperation op, gpg::AuthStatus status )
	{
		LOGI("Sign in finished with a result %s", gpg::DebugString( status ).c_str() );
       		is_auth_in_progress_ = false;
		if ( finished_callback != nullptr ) finished_callback( op, status );
		if ( status == gpg::AuthStatus::VALID )
		{
			ASSERT( game_services_ );
			game_services_->Players().FetchSelf( pcallback );	// find out what our own Id is.
			FetchAchievements();
			FetchLeaderboards();
		}
	};

	if (!game_services_)
	{
		LOGI("Uninitialized services, so creating");
		game_services_ = gpg::GameServices::Builder()
			.SetDefaultOnLog( gpg::LogLevel::VERBOSE )
			.SetOnAuthActionStarted( scallback )
			.SetOnAuthActionFinished( fcallback )
			.SetOnMultiplayerInvitationEvent( invitationcallback )
			.Create(pc);
		if ( !game_services_ )
		{
			LOGE( "gpg::GameServices::Builder() returned nil." );
		}
	}

stolk avatar Sep 17 '19 18:09 stolk

Happens in latest gpg sdk 3.1 as well. Can I please have an update?

stolk avatar Jul 20 '21 17:07 stolk