Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

NWN: Use-after-free when dismissing legal fade quad too quickly #507

Open
@DrMcCoy

Description

@DrMcCoy

When dismissing the legal billboard fade quad thingie too early in NW (by, for example, hammering the mouse button during NWN startup), there's a use-after-free:

===================================================================7597==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a001651310 at pc 0x55df93ffc5c1 bp 0x7f39552db610 sp 0x7f39552db600READ of size 8 at 0x61a001651310 thread T2    #0 0x55df93ffc5c0 in Graphics::Aurora::AnimationThread::registerModelInternal(Graphics::Aurora::Model*) /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:149    #1 0x55df93ffd540 in Graphics::Aurora::AnimationThread::registerQueuedModels() /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:143    #2 0x55df93ffe9fe in Graphics::Aurora::AnimationThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:105    #3 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108    #4 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60    #5 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95    #6 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244    #7 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253    #8 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196    #9 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80    #10 0x7f396c774469 in start_thread /var/tmp/portage/sys-libs/glibc-2.28-r5/work/glibc-2.28/nptl/pthread_create.c:486    #11 0x7f3969293f3e in clone (/lib64/libc.so.6+0x105f3e)0x61a001651310 is located 144 bytes inside of 1352-byte region [0x61a001651280,0x61a0016517c8)freed by thread T8 here:    #0 0x7f396c87f210 in operator delete(void*) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_new_delete.cc:135    #1 0x55df92d58637 in Engines::NWN::FadeModel::~FadeModel() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:90    #2 0x55df92d58637 in void Common::DeallocatorDefault::destroy<Engines::NWN::FadeModel>(Engines::NWN::FadeModel*) /home/drmccoy/projects/xoreos/xoreos/src/common/deallocator.h:44    #3 0x55df92d58637 in Common::ScopedPtrBase<Engines::NWN::FadeModel, Common::DeallocatorDefault>::reset(Engines::NWN::FadeModel*) /home/drmccoy/projects/xoreos/xoreos/src/common/scopedptr.h:88    #4 0x55df92d58637 in Engines::NWN::Legal::fadeIn() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:165    #5 0x55df92b69fff in Engines::NWN::Game::mainMenu(bool, bool) /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:165    #6 0x55df92b6ab19 in Engines::NWN::Game::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:82    #7 0x55df92b3fe7b in Engines::NWN::NWNEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/nwn.cpp:131    #8 0x55df9312ac56 in Engines::GameInstanceEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:225    #9 0x55df9312cc10 in Engines::EngineManager::run(Engines::GameInstance&) const /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:252    #10 0x55df9312e5bb in Engines::GameThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:87    #11 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108    #12 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60    #13 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95    #14 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244    #15 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253    #16 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196    #17 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80previously allocated by thread T8 here:    #0 0x7f396c87e3a0 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_new_delete.cc:90    #1 0x55df92d56437 in Engines::NWN::Legal::Legal() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:137    #2 0x55df92b69ff3 in Engines::NWN::Game::mainMenu(bool, bool) /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:163    #3 0x55df92b6ab19 in Engines::NWN::Game::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:82    #4 0x55df92b3fe7b in Engines::NWN::NWNEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/nwn.cpp:131    #5 0x55df9312ac56 in Engines::GameInstanceEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:225    #6 0x55df9312cc10 in Engines::EngineManager::run(Engines::GameInstance&) const /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:252    #7 0x55df9312e5bb in Engines::GameThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:87    #8 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108    #9 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60    #10 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95    #11 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244    #12 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253    #13 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196    #14 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80Thread T2 created by T0 here:    #0 0x7f396c7e0a73 in __interceptor_pthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_interceptors.cc:202    #1 0x7f396a0f7ec4 in __gthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:662    #2 0x7f396a0f7ec4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:135    #3 0x55df93acddae in Graphics::GraphicsManager::init() /home/drmccoy/projects/xoreos/xoreos/src/graphics/graphics.cpp:158    #4 0x55df922eb2d9 in init /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:313    #5 0x55df922eb2d9 in main /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:189    #6 0x7f39691b0c06 in __libc_start_main ../csu/libc-start.c:308Thread T8 created by T0 here:    #0 0x7f396c7e0a73 in __interceptor_pthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_interceptors.cc:202    #1 0x7f396a0f7ec4 in __gthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:662    #2 0x7f396a0f7ec4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:135    #3 0x55df9313046b in Engines::GameThread::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:79    #4 0x55df922eb6e8 in main /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:202    #5 0x7f39691b0c06 in __libc_start_main ../csu/libc-start.c:308SUMMARY: AddressSanitizer: heap-use-after-free /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:149 in Graphics::Aurora::AnimationThread::registerModelInternal(Graphics::Aurora::Model*)Shadow bytes around the buggy address:  0x0c34802c2210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  0x0c34802c2220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  0x0c34802c2230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  0x0c34802c2240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  0x0c34802c2250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd=>0x0c34802c2260: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd  0x0c34802c2270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  0x0c34802c2280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  0x0c34802c2290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  0x0c34802c22a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd  0x0c34802c22b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fdShadow byte legend (one shadow byte represents 8 application bytes):  Addressable:           00  Partially addressable: 01 02 03 04 05 06 07   Heap left redzone:       fa  Freed heap region:       fd  Stack left redzone:      f1  Stack mid redzone:       f2  Stack right redzone:     f3  Stack after return:      f5  Stack use after scope:   f8  Global redzone:          f9  Global init order:       f6  Poisoned by user:        f7  Container overflow:      fc  Array cookie:            ac  Intra object redzone:    bb  ASan internal:           fe  Left alloca redzone:     ca  Right alloca redzone:    cb==7597==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp