search

CleverRaven / Cataclysm-DDA

Cataclysm - Dark Days Ahead. A turn-based survival game set in a post-apocalyptic world.
http://cataclysmdda.org
Other
10.33k stars 4.14k forks source link

out of bounds array access to map cache in cata_tiles::draw_critter_above #73754

Closed mischief closed 4 months ago

mischief commented 4 months ago

Describe the bug

#0  0x00007f4e7d48d08c in ?? () from /usr/lib64/libc.so.6
#1  0x00007f4e7d43f112 in raise () from /usr/lib64/libc.so.6
#2  0x00007f4e7d4284f2 in abort () from /usr/lib64/libc.so.6
#3  0x00007f4e7d6d69e9 in std::__glibcxx_assert_fail (file=file@entry=0x560ee8f1ba80 "/usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array", line=line@entry=0xca, function=function@entry=0x560ee8f35798 "constexpr std::array<_Tp, _Nm>::value_type& std::array<_Tp, _Nm>::operator[](size_type) [with _Tp = std::unique_ptr<level_cache>; long unsigned int _Nm = 21; reference = std::unique_ptr<level_cache>&;"..., condition=condition@entry=0x560ee8ecdeea "__n < this->size()") at /var/tmp/portage/sys-devel/gcc-13.2.1_p20240503/work/gcc-13-20240503/libstdc++-v3/src/c++11/assert_fail.cc:41
#4  0x0000560ee7937867 in std::array<std::unique_ptr<level_cache, std::default_delete<level_cache> >, 21ul>::operator[] (this=<optimized out>, __n=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array:200
#5  std::array<std::unique_ptr<level_cache, std::default_delete<level_cache> >, 21ul>::operator[] (__n=<optimized out>, this=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array:200
#6  map::get_cache (this=<optimized out>, zlev=<optimized out>) at ../src/map.h:2337
#7  0x0000560ee7a06af5 in map::dont_draw_lower_floor (this=this@entry=0x560eec31b290, p=...) at ../src/map.cpp:7106
#8  0x0000560ee890af5b in cata_tiles::draw_critter_above (this=this@entry=0x560eec35ec20, p=..., ll=ll@entry=lit_level::BRIGHT, height_3d=@0x560f0038fb1c: 0x0, invisible=...) at ../src/cata_tiles.cpp:4141
#9  0x0000560ee8911ae9 in cata_tiles::draw (this=0x560eec35ec20, dest=..., center=..., width=<optimized out>, height=<optimized out>, overlay_strings=std::multimap with 0 elements, color_blocks={...}) at ../src/cata_tiles.cpp:1752
#10 0x0000560ee83869bc in cata_cursesport::curses_drawwindow (w=...) at ../src/sdltiles.cpp:1288
#11 0x0000560ee732c1c5 in catacurses::wnoutrefresh (win_=...) at ../src/cursesport.cpp:189
#12 0x0000560ee7458ea4 in game::draw (this=0x560eec348a50, ui=...) at ../src/game.cpp:3996
#13 0x0000560ee84cfe51 in std::function<void (ui_adaptor&)>::operator()(ui_adaptor&) const (__args#0=..., this=0x560eed530a68) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/bits/std_function.h:591
#14 ui_adaptor::redraw_invalidated () at ../src/ui_manager.cpp:440
#15 0x0000560ee84d00bd in ui_adaptor::redraw () at ../src/ui_manager.cpp:345
#16 0x0000560ee84d04e5 in ui_manager::redraw () at ../src/ui_manager.cpp:506
#17 0x0000560ee735d5d6 in do_turn () at ../src/do_turn.cpp:570
#18 0x0000560ee6ff7bb5 in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.cpp:868

in cata_tiles::draw_critter_above, scan_p.z becomes 11 which breaks the bounds of the map cache by 1 in map::dont_draw_lower_floor.

Attach save file

N/A

Steps to reproduce

i was standing on a radio tower.

Expected behavior

not crashing.

Screenshots

No response

Versions and configuration

cdda-experimental-2024-05-12-2300-6-g8ef4be2a5e / gentoo

Additional context

No response

mischief commented 4 months ago

duplicates #73530

mischief commented 4 months ago

nvm, #73653 is incomplete. bound check needs to happen before dont_draw_lower_floor is called.

mischief commented 4 months ago

to reproduce, walk up the radio tower.

charlotte_park.tgz