libprimis
libprimis copied to clipboard
Published
20 hours ago •
project-imprimis
project-imprimis
Segfault when passing garbage values to `loadobj`
If you attempt to objload something other than a valid file, the game segfaults. A stack trace is below:
vertcommands<obj>::settag (tagname=0x5555577c4238 "tag_muzzle", tx=0x7fffffffd3e0,
ty=0x7fffffffd3f0, tz=<optimized out>, rx=<optimized out>, ry=0x7fffffffd420,
rz=0x7fffffffd430) at engine/model/vertmodel.h:673
673 (static_cast<meshgroup *>(mdl.meshes))->addtag(tagname, m);
#0 vertcommands<obj>::settag(char*, float*, float*, float*, float*, float*, float*)
(tagname=0x5555577c4238 "tag_muzzle", tx=0x7fffffffd3e0, ty=0x7fffffffd3f0, tz=<optimized out>, rx=<optimized out>, ry=0x7fffffffd420, rz=0x7fffffffd430)
at engine/model/vertmodel.h:673
mdl =
@0x555557976150: {_vptr.part = 0x7ffff7eaff80 <vtable for animmodel::part+16>, model = 0x555557328080, index = 1, meshes = 0x0, links = {static MINSIZE = 8, buf = 0x0, alen = 0, ulen = 0}, skins = {static MINSIZE = 8, buf = 0x0, alen = 0, ulen = 0}, anims = {0x0, 0x0, 0x0}, numanimparts = 1, pitchscale = 0, pitchoffset = 0, pitchmin = 0, pitchmax = 0}
cx = <optimized out>
sx = <optimized out>
cy = <optimized out>
cz = <optimized out>
m = <optimized out>
#1 0x00007ffff7cd6799 in runcode(uint const*, tagval&) (code=0x5555577c4264, result=...)
at engine/interface/command.cpp:4518
id = 0x555555653bf0
offset = 0
op = 213017
numargs = <optimized out>
args =
{{<identval> = {{i = 1467761208, f = 2.77361338e+14, s = 0x5555577c4238 "tag_muzzle", code = 0x5555577c4238, id = 0x5555577c4238, cstr = 0x5555577c4238 "tag_muzzle"}}, type = 6}, {<identval> = {{i = 0, f = 0, s = 0x555500000000 <error: Cannot access memory at address 0x555500000000>, code = 0x555500000000, id = 0x555500000000, cstr = 0x555500000000 <error: Cannot access memory at address 0x555500000000>}}, type = 2}, {<identval> = {{i = 1086324736, f = 6, s = 0x555540c00000 <error: Cannot access memory at address 0x555540c00000>, code = 0x555540c00000, id = 0x555540c00000, cstr = 0x555540c00000 <error: Cannot access memory at address 0x555540c00000>}}, type = 2}, {<identval> = {{i = 1065520988, f = 1.01999998, s = 0x7fff3f828f5c <error: Cannot access memory at address 0x7fff3f828f5c>, code = 0x7fff3f828f5c, id = 0x7fff3f828f5c, cstr = 0x7fff3f828f5c <error: Cannot access memory at address 0x7fff3f828f5c>}}, type = 2}, {<identval> = {{i = 0, f = 0, s = 0x7fff00000000 <error: Cannot access memory at address 0x7fff00000000>, code = 0x7fff00000000, id = 0x7fff00000000, cstr = 0x7fff00000000 <error: Cannot access memory at address 0x7fff00000000>}}, type = 2}, {<identval> = {{i = 0, f = 0, s = 0xc800000000000000 <error: Cannot access memory at address 0xc800000000000000>, code = 0xc800000000000000, id = 0xc800000000000000, cstr = 0xc800000000000000 <error: Cannot access memory at address 0xc800000000000000>}}, type = 2}, {<identval> = {{i = 0, f = 0, s = 0x7fff00000000 <error: Cannot access memory at address 0x7fff00000000>, code = 0x7fff00000000, id = 0x7fff00000000, cstr = 0x7fff00000000 <error: Cannot access memory at address 0x7fff00000000>}}, type = 2}, {<identval> = {{i = -135839333, f = -9.38086884e+33, s = 0x7ffff7e7419b "r", code = 0x7ffff7e7419b, id = 0x7ffff7e7419b, cstr = 0x7ffff7e7419b "r"}}, type = 1481137920}, {<identval> = {{i = 1469514368, f = 3.32073986e+14, s = 0x555557970280 "\310\002\353\367\377\177", code = 0x555557970280, id = 0x555557970280, cstr = 0x555557970280 "\310\002\353\367\377\177"}}, type = -9968}, {<identval> = {{i = -9968, f = -nan(0x7fd910), s = 0x7fffffffd910 ".cfg", code = 0x7fffffffd910, id = 0x7fffffffd910, cstr = 0x7fffffffd910 ".cfg"}}, type = 0}, {<identval> = {{i = -135839333, f = -9.38086884e+33, s = 0x7ffff7e7419b "r", code = 0x7ffff7e7419b, id = 0x7ffff7e7419b, cstr = 0x7ffff7e7419b "r"}}, type = 1023}, {<identval> = {{i = 1469514368, f = 3.32073986e+14, s = 0x555557970280 "\310\002\353\367\377\177", code = 0x555557970280, id = 0x555557970280, cstr = 0x555557970280 "\310\002\353\367\377\177"}}, type = -137653903}, {<identval> = {{i = 109, f = 1.52741533e-43, s = 0x6d <error: Cannot access memory at address 0x6d>, code = 0x6d, id = 0x6d, cstr = 0x6d <error: Cannot access memory at address 0x6d>}}, type = 45}, {<identval> = {{i = -135513888, f = -9.58230954e+33, s = 0x7ffff7ec3--Type <RET> for more, q to quit, c to continue without paging--
8e0 <animmodel::meshgroups> "", code = 0x7ffff7ec38e0 <animmodel::meshgroups>, id = 0x7ffff7ec38e0 <animmodel::meshgroups>, cstr = 0x7ffff7ec38e0 <animmodel::meshgroups> ""}}, type = -136627369}, {<identval> = {{i = -9360, f = -nan(0x7fdb70), s = 0x7fffffffdb70 "\036", code = 0x7fffffffdb70, id = 0x7fffffffdb70, cstr = 0x7fffffffdb70 "\036"}}, type = -9552}, {<identval> = {{i = 0, f = 0, s = 0x0, code = 0x0, id = 0x0, cstr = 0x0}}, type = -10800}, {<identval> = {{i = 1469514368, f = 3.32073986e+14, s = 0x555557970280 "\310\002\353\367\377\177", code = 0x555557970280, id = 0x555557970280, cstr = 0x555557970280 "\310\002\353\367\377\177"}}, type = -10816}, {<identval> = {{i = 1432593808, f = 1.56437641e+13, s = 0x5563a590 <error: Cannot access memory at address 0x5563a590>, code = 0x5563a590, id = 0x5563a590, cstr = 0x5563a590 <error: Cannot access memory at address 0x5563a590>}}, type = 1073741824}, {<identval> = {{i = 98, f = 1.3732725e-43, s = 0x62 <error: Cannot access memory at address 0x62>, code = 0x62, id = 0x62, cstr = 0x62 <error: Cannot access memory at address 0x62>}}, type = -9968}, {<identval> = {{i = 262144, f = 3.67341985e-40, s = 0x40000 <error: Cannot access memory at address 0x40000>, code = 0x40000, id = 0x40000, cstr = 0x40000 <error: Cannot access memory at address 0x40000>}}, type = 0}, {<identval> = {{i = 1435287520, f = 1.93444656e+13, s = 0x5555558cbfe0 "\220\343pUUU", code = 0x5555558cbfe0, id = 0x5555558cbfe0, cstr = 0x5555558cbfe0 "\220\343pUUU"}}, type = -2007901867}, {<identval> = {{i = -134581400, f = -1.01594917e+34, s = 0x7ffff7fa7368 "P\344\377\367\377\177", code = 0x7ffff7fa7368, id = 0x7ffff7fa7368, cstr = 0x7ffff7fa7368 "P\344\377\367\377\177"}}, type = -10648}, {<identval> = {{i = 0, f = 0, s = 0x0, code = 0x0, id = 0x0, cstr = 0x0}}, type = 0}, {<identval> = {{i = 0, f = 0, s = 0x0, code = 0x0, id = 0x0, cstr = 0x0}}, type = -134368791}, {<identval> = {{i = 1, f = 1.40129846e-45, s = 0x1 <error: Cannot access memory at address 0x1>, code = 0x1, id = 0x1, cstr = 0x1 <error: Cannot access memory at address 0x1>}}, type = 0}, {<identval> = {{i = 5, f = 7.00649232e-45, s = 0x5 <error: Cannot access memory at address 0x5>, code = 0x5, id = 0x5, cstr = 0x5 <error: Cannot access memory at address 0x5>}}, type = 0}, {<identval> = {{i = 1, f = 1.40129846e-45, s = 0x1 <error: Cannot access memory at address 0x1>, code = 0x1, id = 0x1, cstr = 0x1 <error: Cannot access memory at address 0x1>}}, type = -134582272}, {<identval> = {{i = 111, f = 1.5554413e-43, s = 0x6f <error: Cannot access memory at address 0x6f>, code = 0x6f, id = 0x6f, cstr = 0x6f <error: Cannot access memory at address 0x6f>}}, type = 0}, {<identval> = {{i = 1, f = 1.40129846e-45, s = 0x1 <error: Cannot access memory at address 0x1>, code = 0x1, id = 0x1, cstr = 0x1 <error: Cannot access memory at address 0x1>}}, type = 0}, {<identval> = {{i = 7, f = 9.80908925e-45, s = 0x7 <error: Cannot access memory at address 0x7>, code = 0x7, id = 0x7, cstr = 0x7 <error: Cannot access memory at address 0x7>}}, type = 1432166926}, {<identval> = {{i = 4096, f = 5.73971851e-42, s = 0x1000 <error: Cannot access memory at address 0x1000>, code = 0x1000, id = 0x1000, cstr = 0x1000 <error: Cannot access memory at address 0x1000>}}, type = 99}, {<identval> = {{i = 1432168456, f = 1.51977502e+13, s = 0x5555555d2808 "", code = 0x5555555d2808, id = 0x5555555d2808, cstr = 0x5555555d2808 ""}}, type = 4144}}
prevret = <optimized out>
#2 0x00007ffff7cd8ca5 in execute(char const*)
(p=p@entry=0x5555577ad060 "objload model.obj\n\nobjload garbage garbage\n\nobjskin CARBINE_world diffuse.png *\n\nobjpitch 0\nmdlspec 200\nmdlgloss 2\n\n//", ' ' <repeats 16 times>, "+L -R +F -B +U -D\n//", ' ' <repeats 16 times>, "H D V\nobjtag ta"...) at engine/interface/command.cpp:4988
code = {static MINSIZE = 8, buf = 0x5555577c41b0, alen = 64, ulen = 46}
result =
{<identval> = {{i = 0, f = 0, s = 0x0, code = 0x0, id = 0x0, cstr = 0x0}}, type = 0}
i = <optimized out>
#3 0x00007ffff7cddc7c in execfile(char const*, bool)
(cfgfile=cfgfile@entry=0x7fffffffda40 "media/model/worldgun/carbine/obj.cfg", msg=msg@entry=false) at engine/interface/cubestd.cpp:36
s = "media/model/worldgun/carbine/obj.cfg\000/mo\000_HXT{\316\035dgun/car@\332\377--Type <RET> for more, q to quit, c to continue without paging--
\377\377\177\000\000@\332\377\377\377\177\000\000h\320\357\367\377\177\000\000\330\320\357\367\377\177\000\000\340\317\357\367\377\177\000\000\200\200\062WUU\000\000\063\343VUUU\000\000 \000\000\000\060\000\000\000@\332\377\377\377\177\000\000\200\331\377\377\377\177\000\000\000_HXT{\316\035\220\331\377\377\200\000\000\000\000_HXT{\316\035\200T|WUU\000\000\273S\347\367\377\177\000\000\377\377\377\377\000\000\000\000\320\330\377\377\377\177\000\000\377\377\377\377\377\377\377\377"...
buf = 0x5555577ad060 "objload model.obj\n\nobjload garbage garbage\n\nobjskin CARBINE_world diffuse.png *\n\nobjpitch 0\nmdlspec 200\nmdlgloss 2\n\n//", ' ' <repeats 16 times>, "+L -R +F -B +U -D\n//", ' ' <repeats 16 times>, "H D V\nobjtag ta"...
oldsourcefile = 0x0
oldsourcestr = 0x0
#4 0x00007ffff7d2d95e in modelloader<obj, vertmodel>::loadconfig()
(this=<optimized out>) at engine/model/animmodel.h:1936
cfgname = "media/model/worldgun/carbine/obj.cfg\000U\000\000h\320\357\367\377\177\000\000\200\333\377\377\377\177\000\000\340\317\357\367\377\177\000\000\000\000\000\000\000\000\000\000\063\343VUUU\000\000\030\000\000\000\060", '\000' <repeats 11 times>, "\004\000\000\000\000\000\000\000\000\333\377\377\377\177\000\000\320\332\377\377\377\177\000\000T\351\374\367\377\177\000\000\000\333\377\377\377\177\000\000\200\333\377\377\377\177\000\000\004\000\000\000\000\000\000\000\065BX\367\377\177\000\000\000\000\000\000\230\r\000\000<\000\000\000\000\000\000\000\200\333\377\377\377\177\000\000\235o\272\367\377\177\000\000\360\261\000\000\000\000\000\000\000"...
success = <optimized out>
#5 0x00007ffff7da7f40 in animmodel::load() (this=0x555557328080)
at engine/model/animmodel.h:1621
success = <optimized out>
mm = 0x0
m = 0x555557328080
#6 loadmodel(char const*, int, bool)
(name=0x555557039490 "worldgun/carbine", i=i@entry=-1, msg=msg@entry=true)
at engine/render/rendermodel.cpp:559
mm = 0x0
m = 0x555557328080
#7 0x00007ffff7da8b16 in flushpreloadedmodels(bool) (msg=msg@entry=true)
at engine/../libprimis-headers/tools.h:692
m = <optimized out>
i = 7
#8 0x000055555559e241 in game::preloadworld() () at game/render.cpp:729
#9 0x000055555558d37d in game::changemapserv(char const*, int)
(name=name@entry=0x5555555cd8e0 <game::parsemessages(int, gameent*, databuf<unsigned char>&)::text> "tdm1", mode=<optimized out>) at game/gameclient.cpp:884
#10 0x0000555555591c0a in game::parsemessages(int, gameent*, databuf<unsigned char>&)
(cn=cn@entry=-1, d=d@entry=0x0, p=...) at game/gameclient.cpp:2012
text = "tdm1", '\000' <repeats 4995 times>
type = 22
mapchanged = false
demopacket = false
#11 0x000055555559465f in game::parsepacketclient(int, packetbuf&)
(chan=<optimized out>, p=...) at game/gameclient.cpp:3074
#12 0x000055555556f20f in localservertoclient(int, _ENetPacket*)
(packet=<optimized out>, chan=<optimized out>) at game/client.cpp:229
p =
{<databuf<unsigned char>> = {buf = 0x555555eaafc0 "\002\026tdm1", len = 8, maxlen = 25, flags = 0 '\000'}, packet = 0x555556c426c0, growth = 0}
--Type <RET> for more, q to quit, c to continue without paging--
event =
{type = ENET_EVENT_TYPE_RECEIVE, peer = 0x5555560b0a80, channelID = 1 '\001', data = 0, packet = 0x555556c426c0}
#13 gets2c() () at game/client.cpp:277
event =
{type = ENET_EVENT_TYPE_RECEIVE, peer = 0x5555560b0a80, channelID = 1 '\001', data = 0, packet = 0x555556c426c0}
#14 0x0000555555587305 in game::updateworld() () at game/game.cpp:353
#15 0x0000555555563215 in main(int, char**) (argc=<optimized out>, argv=<optimized out>)
at game/main.cpp:284
frames = 165
millis = 2937
crosshairindex = <optimized out>
timeerr = 0
scaledtime = <optimized out>
