| Summary: | Buffer overflow on SDL_INIT_GAMECONTROLLER | ||
|---|---|---|---|
| Product: | SDL | Reporter: | Ryan C. Gordon <icculus> |
| Component: | joystick | Assignee: | Sam Lantinga <slouken> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | normal | ||
| Priority: | P2 | CC: | kai.sterker, sezeroz |
| Version: | HG 2.0 | ||
| Hardware: | x86 | ||
| OS: | Other | ||
Possibly related, after updating to latest hg (11596:9d8ea0382c52), I get a crash on exit.
Thread 1 "adonthell-0.3" received signal SIGABRT, Aborted.
0x00007ffff5f31428 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff5f31428 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff5f3302a in __GI_abort () at abort.c:89
#2 0x00007ffff5f737ea in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff608ce98 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff5f7c37a in malloc_printerr (ar_ptr=<optimised out>,
ptr=<optimised out>,
str=0x7ffff608cf10 "free(): invalid next size (fast)", action=3)
at malloc.c:5006
#4 _int_free (av=<optimised out>, p=<optimised out>, have_lock=0)
at malloc.c:3867
#5 0x00007ffff5f8053c in __GI___libc_free (mem=<optimised out>)
at malloc.c:2968
#6 0x00007ffff7ab806a in SDL_StopEventLoop ()
at /home/kai/adonthell/dev/SDL/src/events/SDL_events.c:377
#7 0x00007ffff7a98e4a in SDL_QuitSubSystem_REAL (flags=<optimised out>,
flags@entry=16384) at /home/kai/adonthell/dev/SDL/src/SDL.c:313
#8 0x00007ffff7ac6158 in SDL_JoystickQuit ()
at /home/kai/adonthell/dev/SDL/src/joystick/SDL_joystick.c:564
#9 0x00007ffff7a98fe0 in SDL_QuitSubSystem_REAL (flags=29233)
at /home/kai/adonthell/dev/SDL/src/SDL.c:264
#10 SDL_Quit_REAL () at /home/kai/adonthell/dev/SDL/src/SDL.c:354
---Type <return> to continue, or q <return> to quit---
#11 0x000000000047de09 in main ()
Might be something different, as I cannot reproduce it with the SDL test programs (tried both testgamecontroller and testdraw2), but smells like a memory issue to me.
|
AddressSanitizer finds a buffer overflow on SDL_Init(SDL_INIT_GAMECONTROLLER) ... tested against revision 11596:9d8ea0382c52 #include "SDL.h" void main(void) { SDL_Init(SDL_INIT_GAMECONTROLLER); } ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d438 at pc 0x000103289c35 bp 0x7fff5c9a8450 sp 0x7fff5c9a8448 WRITE of size 8 at 0x60200000d438 thread T0 #0 0x103289c34 in SDL_AddEventWatch_REAL SDL_events.c:809 #1 0x103298ec8 in SDL_GameControllerInit SDL_gamecontroller.c:1226 #2 0x10326315c in SDL_InitSubSystem_REAL SDL.c:211 #3 0x103257f68 in main (x:x86_64+0x100000f68) #4 0x7fff8d135234 in start (libdyld.dylib:x86_64+0x5234) 0x60200000d438 is located 0 bytes to the right of 8-byte region [0x60200000d430,0x60200000d438) allocated by thread T0 here: #0 0x103645680 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x56680) #1 0x103289b90 in SDL_AddEventWatch_REAL SDL_events.c:802 #2 0x103298ec8 in SDL_GameControllerInit SDL_gamecontroller.c:1226 #3 0x10326315c in SDL_InitSubSystem_REAL SDL.c:211 #4 0x103257f68 in main (x:x86_64+0x100000f68) #5 0x7fff8d135234 in start (libdyld.dylib:x86_64+0x5234) SUMMARY: AddressSanitizer: heap-buffer-overflow SDL_events.c:809 in SDL_AddEventWatch_REAL Shadow bytes around the buggy address: 0x1c0400001a30: fa fa 00 00 fa fa 00 00 fa fa 00 07 fa fa 00 07 0x1c0400001a40: fa fa 00 07 fa fa 00 07 fa fa 00 04 fa fa 00 06 0x1c0400001a50: fa fa 00 07 fa fa 00 00 fa fa fd fd fa fa fd fd 0x1c0400001a60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x1c0400001a70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 03 fa =>0x1c0400001a80: fa fa fd fd fa fa 00[fa]fa fa fa fa fa fa fa fa 0x1c0400001a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400001aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400001ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400001ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400001ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb