search

FWGS / xash3d-fwgs

Xash3D FWGS engine.
1.51k stars 225 forks source link

global-buffer-overflow in ref_soft/r_misc.c:104 #280

Open glebm opened 3 years ago

glebm commented 3 years ago 
../ref_soft/r_misc.c:233:44: runtime error: left shift of 2488 by 20 places cannot be represented in type 'int'
../ref_soft/r_misc.c:104:14: runtime error: index 1200 out of bounds for type 'int [1200]'
../ref_soft/r_misc.c:104:18: runtime error: store to address 0x7fb851581b60 with insufficient space for an object of type 'int'
0x7fb851581b60: note: pointer points here
 c8 84 2d 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^ 
=================================================================
==53596==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fb851581b60 at pc 0x7fb850e07f7a bp 0x7fff8f6012d0 sp 0x7fff8f6012c0
WRITE of size 4 at 0x7fb851581b60 thread T0
    #0 0x7fb850e07f79 in D_ViewChanged ../ref_soft/r_misc.c:104
    #1 0x7fb850e0b61d in R_ViewChanged ../ref_soft/r_misc.c:304
    #2 0x7fb850e0bd0c in R_SetupFrameQ ../ref_soft/r_misc.c:355
    #3 0x7fb850df1469 in R_SetupFrame ../ref_soft/r_main.c:651
    #4 0x7fb850dfdf82 in R_RenderScene ../ref_soft/r_main.c:1606
    #5 0x7fb850dfe6c4 in R_RenderFrame ../ref_soft/r_main.c:1776
    #6 0x7fb86716db6c in GL_RenderFrame ../engine/client/ref_common.c:60
    #7 0x7fb867126ae8 in V_RenderView ../engine/client/cl_view.c:339
    #8 0x7fb8670f7604 in SCR_UpdateScreen ../engine/client/cl_scrn.c:520
    #9 0x7fb86709def4 in Host_ClientFrame ../engine/client/cl_main.c:3037
    #10 0x7fb866e10f4c in Host_Frame ../engine/common/host.c:642
    #11 0x7fb866e132b1 in Host_RunFrame ../engine/common/host_state.c:144
    #12 0x7fb866e135b1 in COM_Frame ../engine/common/host_state.c:194
    #13 0x7fb866e12435 in Host_Main ../engine/common/host.c:1107
    #14 0x5588ea99d719 in Sys_Start ../game_launch/game.cpp:134
    #15 0x5588ea99d719 in main ../game_launch/game.cpp:146
    #16 0x7fb86bcddcb1 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28cb1)
    #17 0x5588ea99d2ad in _start (/usr/lib/xash3d/xash3d+0x22ad)

0x7fb851581b60 is located 32 bytes to the left of global variable 'd_scalemip' defined in '../ref_soft/r_misc.c:32:9' (0x7fb851581b80) of size 12
0x7fb851581b60 is located 0 bytes to the right of global variable 'd_scantable' defined in '../ref_soft/r_misc.c:41:6' (0x7fb8515808a0) of size 4800
0x7fb851581b60 is located 32 bytes to the left of global variable 'd_scalemip' defined in '../ref_soft/r_misc.c:32:9' (0x7fb851581b80) of size 12
0x7fb851581b60 is located 0 bytes to the right of global variable 'd_scantable' defined in '../ref_soft/r_misc.c:41:6' (0x7fb8515808a0) of size 4800
SUMMARY: AddressSanitizer: global-buffer-overflow ../ref_soft/r_misc.c:104 in D_ViewChanged
lewa-j commented 3 years ago

Look like its due to resolurtion. https://github.com/FWGS/xash3d-fwgs/blob/master/ref_soft/r_local.h#L783

glebm commented 3 years ago

Just increasing these 2 numbers causes a different crash unfortunately

There is this comment there:

// !!! if this is changed, it must be changed in d_ifacea.h too !!!

But I can't find the d_ifacea.h file

lewa-j commented 3 years ago

Try decrease your resolution. To be sure this is the cause

glebm commented 3 years ago

Decreasing the resolution fixes this crash

nekonomicon commented 3 years ago

But I can't find the d_ifacea.h file

There many comments from Quake engine and Half-Life SDK.