Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use after free #837

Open
devnexen opened this issue Aug 25, 2024 · 0 comments
Open

use after free #837

devnexen opened this issue Aug 25, 2024 · 0 comments

Comments

@devnexen
Copy link
Contributor

I stumbled across once and could never reproduced it again. It was on the first Doom 2 level near the end attacked by two imps.
hope it helps, cheers.

./doomretro -iwad ~/Contribs/DOOM2.WAD 
=================================================================
==8782==ERROR: AddressSanitizer: heap-use-after-free on address 0x5150000ce9f0 at pc 0x55c764e53526 bp 0x7ffcda3afa80 sp 0x7ffcda3afa78
READ of size 4 at 0x5150000ce9f0 thread T0
    #0 0x55c764e53525 in S_AdjustSoundParms /home/dcarlier/Contribs/doomretro/src/s_sound.c:435:33
    #1 0x55c764e53280 in S_UpdateSounds /home/dcarlier/Contribs/doomretro/src/s_sound.c:569:22
    #2 0x55c764bd94c2 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:482:13
    #3 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #4 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #5 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7fb0fb4c0d44 in __libc_start_main csu/../csu/libc-start.c:360:3
    #7 0x55c764a2fb90 in _start (/home/dcarlier/Contribs/doomretro/build/doomretro+0x108b90) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)

0x5150000ce9f0 is located 112 bytes inside of 480-byte region [0x5150000ce980,0x5150000ceb60)
freed by thread T0 here:
    #0 0x55c764aca53a in free (/home/dcarlier/Contribs/doomretro/build/doomretro+0x1a353a) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)
    #1 0x55c764e9879a in Z_Free /home/dcarlier/Contribs/doomretro/src/z_zone.c:147:5
    #2 0x55c764de242d in P_RemoveThinkerDelayed /home/dcarlier/Contribs/doomretro/src/p_tick.c:143:9
    #3 0x55c764de2c8c in P_Ticker /home/dcarlier/Contribs/doomretro/src/p_tick.c:242:9
    #4 0x55c764bf5116 in G_Ticker /home/dcarlier/Contribs/doomretro/src/g_game.c:1098:13
    #5 0x55c764bcd9e1 in TryRunTics /home/dcarlier/Contribs/doomretro/src/d_loop.c:84:9
    #6 0x55c764bd94a6 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:476:9
    #7 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #8 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #9 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55c764aca7e2 in malloc (/home/dcarlier/Contribs/doomretro/build/doomretro+0x1a37e2) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)
    #1 0x55c764e97c2e in Z_Malloc /home/dcarlier/Contribs/doomretro/src/z_zone.c:78:22
    #2 0x55c764e982e2 in Z_Calloc /home/dcarlier/Contribs/doomretro/src/z_zone.c:113:39
    #3 0x55c764d62a2e in P_SpawnMobj /home/dcarlier/Contribs/doomretro/src/p_mobj.c:778:25
    #4 0x55c764d6ebcd in P_SpawnMissile /home/dcarlier/Contribs/doomretro/src/p_mobj.c:1660:10
    #5 0x55c764cf01b8 in A_TroopAttack /home/dcarlier/Contribs/doomretro/src/p_enemy.c:1164:5
    #6 0x55c764d587c7 in P_SetMobjState /home/dcarlier/Contribs/doomretro/src/p_mobj.c:84:17
    #7 0x55c764d5b000 in P_MobjThinker /home/dcarlier/Contribs/doomretro/src/p_mobj.c:751:13
    #8 0x55c764de2c8c in P_Ticker /home/dcarlier/Contribs/doomretro/src/p_tick.c:242:9
    #9 0x55c764bf5116 in G_Ticker /home/dcarlier/Contribs/doomretro/src/g_game.c:1098:13
    #10 0x55c764bcd9e1 in TryRunTics /home/dcarlier/Contribs/doomretro/src/d_loop.c:84:9
    #11 0x55c764bd94a6 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:476:9
    #12 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #13 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #14 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/dcarlier/Contribs/doomretro/src/s_sound.c:435:33 in S_AdjustSoundParms
Shadow bytes around the buggy address:
  0x5150000ce700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce880: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x5150000ce900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x5150000ce980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x5150000cea00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000cea80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ceb00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x5150000ceb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5150000cec00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8782==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@devnexen