taisei
taisei copied to clipboard
Published
20 hours ago •
taisei-project
taisei-project
Use-after-free with TAISEI_NOPRELOAD=1
To reproduce, start a game and then go back to the title screen.
At least two things look wrong here: everything loads in transient mode (that's not what TAISEI_NOPRELOAD is for), and, obviously, the memory management bug which happens to be exposed by that.
3865 W: get_resource(): shader object 'texture_post_load.frag' was not preloaded
3866 I: finalize_resource(): Loaded shader object 'texture_post_load.frag' from '/tmp/taisei/share/taisei/00-taisei.zip/shader/texture_post_load.frag.glsl' (transient)
3866 I: finalize_resource(): Loaded shader program 'texture_post_load' from '/tmp/taisei/share/taisei/00-taisei.zip/shader/texture_post_load.prog' (transient)
=================================================================
==5255==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000031c30 at pc 0x00000057da23 bp 0x7ffed06036d0 sp 0x7ffed06036c8
READ of size 4 at 0x60f000031c30 thread T0
#0 0x57da22 in gl33_shader ../../../git/taisei/src/renderer/gl33/core.c:938
#1 0x56f6d8 in r_shader_ptr ../../../git/taisei/src/renderer/api.c:367
#2 0x5cb241 in texture_post_load ../../../git/taisei/src/resource/texture.c:308
#3 0x5cb4df in load_texture_end ../../../git/taisei/src/resource/texture.c:331
#4 0x5c2275 in load_resource_finish ../../../git/taisei/src/resource/resource.c:318
#5 0x5c1d59 in load_resource ../../../git/taisei/src/resource/resource.c:285
#6 0x5c267e in get_resource ../../../git/taisei/src/resource/resource.c:356
#7 0x5c2bf1 in get_resource_data ../../../git/taisei/src/resource/resource.c:385
#8 0x5cb548 in r_texture_get ../../../git/taisei/src/renderer/api.h:732
#9 0x5cb548 in get_tex ../../../git/taisei/src/resource/texture.c:339
#10 0x5cdaca in fill_screen ../../../git/taisei/src/resource/texture.c:507
#11 0x51aa84 in draw_options_menu_bg ../../../git/taisei/src/menu/options.c:743
#12 0x52c332 in draw_saverpy_menu ../../../git/taisei/src/menu/savereplay.c:47
#13 0x513b7f in menu_render_frame ../../../git/taisei/src/menu/menu.c:171
#14 0x4682d3 in loop_at_fps ../../../git/taisei/src/framerate.c:169
#15 0x513c8e in menu_loop ../../../git/taisei/src/menu/menu.c:183
#16 0x52e253 in ask_save_replay ../../../git/taisei/src/menu/savereplay.c:141
#17 0x5047be in start_game_internal ../../../git/taisei/src/menu/common.c:93
#18 0x5049cf in start_game ../../../git/taisei/src/menu/common.c:110
#19 0x5122f5 in close_menu_finish ../../../git/taisei/src/menu/menu.c:60
#20 0x4f6bb0 in call_callback ../../../git/taisei/src/transition.c:83
#21 0x4f6fee in update_transition ../../../git/taisei/src/transition.c:146
#22 0x5139cc in menu_logic_frame ../../../git/taisei/src/menu/menu.c:163
#23 0x4680a2 in loop_at_fps ../../../git/taisei/src/framerate.c:157
#24 0x513c8e in menu_loop ../../../git/taisei/src/menu/menu.c:183
#25 0x49a6a1 in main ../../../git/taisei/src/main.c:314
#26 0x7f593569cfea in __libc_start_main ../csu/libc-start.c:308
#27 0x42c759 in _start (/data/taisei-build/dev/gcc/src/taisei+0x42c759)
0x60f000031c30 is located 0 bytes inside of 168-byte region [0x60f000031c30,0x60f000031cd8)
freed by thread T0 here:
#0 0x7f5936ff8b50 in __interceptor_free ../../../../libsanitizer/asan/asan_malloc_linux.cc:66
#1 0x58708e in gl33_shader_program_destroy ../../../git/taisei/src/renderer/gl33/shader_program.c:399
#2 0x56f591 in r_shader_program_destroy ../../../git/taisei/src/renderer/api.c:354
#3 0x5c6621 in unload_shader_program ../../../git/taisei/src/resource/shader_program.c:108
#4 0x5c0703 in unload_resource ../../../git/taisei/src/resource/resource.c:166
#5 0x5c440a in free_resources ../../../git/taisei/src/resource/resource.c:557
#6 0x5047b9 in start_game_internal ../../../git/taisei/src/menu/common.c:92
#7 0x5049cf in start_game ../../../git/taisei/src/menu/common.c:110
#8 0x5122f5 in close_menu_finish ../../../git/taisei/src/menu/menu.c:60
#9 0x4f6bb0 in call_callback ../../../git/taisei/src/transition.c:83
#10 0x4f6fee in update_transition ../../../git/taisei/src/transition.c:146
#11 0x5139cc in menu_logic_frame ../../../git/taisei/src/menu/menu.c:163
#12 0x4680a2 in loop_at_fps ../../../git/taisei/src/framerate.c:157
#13 0x513c8e in menu_loop ../../../git/taisei/src/menu/menu.c:183
#14 0x49a6a1 in main ../../../git/taisei/src/main.c:314
#15 0x7f593569cfea in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f5936ff90b8 in __interceptor_calloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:95
#1 0x587127 in gl33_shader_program_link ../../../git/taisei/src/renderer/gl33/shader_program.c:403
#2 0x56f52a in r_shader_program_link ../../../git/taisei/src/renderer/api.c:350
#3 0x5c64e6 in load_shader_program_end ../../../git/taisei/src/resource/shader_program.c:94
#4 0x5c2275 in load_resource_finish ../../../git/taisei/src/resource/resource.c:318
#5 0x5c1d59 in load_resource ../../../git/taisei/src/resource/resource.c:285
#6 0x5c267e in get_resource ../../../git/taisei/src/resource/resource.c:356
#7 0x5c2bf1 in get_resource_data ../../../git/taisei/src/resource/resource.c:385
#8 0x56dad9 in r_shader_get ../../../git/taisei/src/renderer/api.h:716
#9 0x56dad9 in r_post_init ../../../git/taisei/src/renderer/api.c:70
#10 0x499e42 in main ../../../git/taisei/src/main.c:242
#11 0x7f593569cfea in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free ../../../git/taisei/src/renderer/gl33/core.c:938 in gl33_shader
Shadow bytes around the buggy address:
0x0c1e7fffe330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fffe340: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1e7fffe350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1e7fffe360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1e7fffe370: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c1e7fffe380: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
0x0c1e7fffe390: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1e7fffe3a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fffe3b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1e7fffe3c0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fffe3d0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5255==ABORTING
