Opened 14 months ago
Last modified 14 months ago
#15887 new defect
TOLTECS: drawGuiTextMulti() heap buffer-overflow with demo
| Reported by: | dwatteau | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | Engine: Toltecs |
| Version: | Keywords: | ||
| Cc: | Game: | 3 Skulls of the Toltecs |
Description
On current Git HEAD.
How to reproduce:
- Build with
--enable-asan - Start 'toltecs-demo' (available on our demos page)
- When the main title screen appears, left click
The following ASan trace is then triggered:
==20723==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000071f61 at pc 0x0001007f8f64 bp 0x00016faf5f90 sp 0x00016faf5f88
READ of size 1 at 0x62a000071f61 thread T0
#0 0x0001007f8f60 in Toltecs::Screen::drawGuiTextMulti(unsigned char*) screen.cpp:524
#1 0x00010080d8c0 in Toltecs::ScriptInterpreter::sfDrawGuiTextMulti() script.cpp:762
#2 0x00010082d1a0 in Common::Functor0Mem<void, Toltecs::ScriptInterpreter>::operator()() const func.h:397
#3 0x0001008219a0 in Toltecs::ScriptInterpreter::execScriptFunction(unsigned short) script.cpp:510
#4 0x00010081a864 in Toltecs::ScriptInterpreter::execOpcode(unsigned char) script.cpp:273
#5 0x00010081a3c4 in Toltecs::ScriptInterpreter::runScript() script.cpp:242
#6 0x0001007b14c8 in Toltecs::ToltecsEngine::run() toltecs.cpp:221
#7 0x000100363a7c in runGame(Plugin const*, OSystem&, DetectedGame const&, void const*) main.cpp:311
#8 0x00010035802c in scummvm_main main.cpp:796
#9 0x0001003402ec in main macosx-main.cpp:44
#10 0x000198b8eb48 (<unknown module>)
0x62a000071f61 is located 2 bytes after 23903-byte region [0x62a00006c200,0x62a000071f5f)
allocated by thread T0 here:
#0 0x000104103804 in _Znam+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4b804)
#1 0x000100817e34 in Toltecs::ScriptInterpreter::loadScript(unsigned int, unsigned int) script.cpp:188
#2 0x00010080f5fc in Toltecs::ScriptInterpreter::sfLoadScript() script.cpp:812
#3 0x00010082d1a0 in Common::Functor0Mem<void, Toltecs::ScriptInterpreter>::operator()() const func.h:397
#4 0x0001008219a0 in Toltecs::ScriptInterpreter::execScriptFunction(unsigned short) script.cpp:510
#5 0x00010081a864 in Toltecs::ScriptInterpreter::execOpcode(unsigned char) script.cpp:273
#6 0x00010081a3c4 in Toltecs::ScriptInterpreter::runScript() script.cpp:242
#7 0x0001007b14c8 in Toltecs::ToltecsEngine::run() toltecs.cpp:221
#8 0x000100363a7c in runGame(Plugin const*, OSystem&, DetectedGame const&, void const*) main.cpp:311
#9 0x00010035802c in scummvm_main main.cpp:796
#10 0x0001003402ec in main macosx-main.cpp:44
#11 0x000198b8eb48 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow screen.cpp:524 in Toltecs::Screen::drawGuiTextMulti(unsigned char*)
Shadow bytes around the buggy address:
0x62a000071c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a000071d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a000071d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a000071e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x62a000071e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x62a000071f00: 00 00 00 00 00 00 00 00 00 00 00 07[fa]fa fa fa
0x62a000071f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a000072000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a000072080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a000072100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62a000072180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20723==ABORTING
Abort trap: 6
Note:
See TracTickets
for help on using tickets.
Small bit of debugger context:
(lldb) frame select 5 frame #5: 0x00000001004f8f64 scummvm`Toltecs::Screen::drawGuiTextMulti(this=0x0000618000106080, textData="\n\f\xa0") at screen.cpp:524:7 521 522 // Really strange stuff. 523 for (int i = 30; i >= 0; i--) { -> 524 if (textData[i] >= 0xF0) 525 break; 526 if (i == 0) 527 return; (lldb) p i (int) 30 (lldb) x/32c textData 0x62a000071f43: \n\f\xa0\0VIEW DEMO\xff\n\f\xe0\x01PLAY DEMO\xff\0\0\0\0