search

Zylann / godot_voxel

Voxel module for Godot Engine
Other
2.47k stars 230 forks source link

`FastNoise2.update_generator` crashes Godot #466

Open qarmin opened 1 year ago

qarmin commented 1 year ago 
extends Node
func _process(delta):

    var temp_variable6364 = FastNoise2.new()
    temp_variable6364.set_noise_type(5)
    temp_variable6364.update_generator()

crashes Godot with this backtrace

 ==3041==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00002c72d6df at pc 0x00000ac12e99 bp 0x7fff28ec91a0 sp 0x7fff28ec9190
READ of size 1 at 0x00002c72d6df thread T0
    #0 0xac12e98 in Decode modules/voxel/thirdparty/fast_noise_2/src/FastNoise/Base64.h:105
    #1 0xac19dec in FastNoise::NewFromEncodedNodeTree(char const*, FastSIMD::eLevel) modules/voxel/thirdparty/fast_noise_2/src/FastNoise/Metadata.cpp:301
    #2 0xab6ce34 in zylann::FastNoise2::update_generator() modules/voxel/util/noise/fast_noise_2.cpp:421
    #3 0x368abfa in void call_with_variant_args_helper<__UnexistingClass>(__UnexistingClass*, void (__UnexistingClass::*)(), Variant const**, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:262
    #4 0x3676d9a in void call_with_variant_args_dv<__UnexistingClass>(__UnexistingClass*, void (__UnexistingClass::*)(), Variant const**, int, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:409
    #5 0x365fb60 in MethodBindT<>::call(Object*, Variant const**, int, Callable::CallError&) core/object/method_bind.h:320
    #6 0x1f3e528e in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:733
    #7 0x1e8a5bc8 in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1048
    #8 0x4fd9e02 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1555
    #9 0x49d72fc in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1634
    #10 0x141e3598 in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:238
    #11 0x1414a094 in Node::_notification(int) scene/main/node.cpp:56
    #12 0x352e963 in Node::_notificationv(int, bool) scene/main/node.h:45
    #13 0x1f3e67e2 in Object::notification(int, bool) core/object/object.cpp:790
    #14 0x142a87e1 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:868
    #15 0x1429af9d in SceneTree::process(double) scene/main/scene_tree.cpp:466
    #16 0x2dd2f30 in Main::iteration() main/main.cpp:3176
    #17 0x2bfeb2b in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:785
    #18 0x2bdbbb8 in main platform/linuxbsd/godot_linuxbsd.cpp:73
    #19 0x7f0f9f546d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #20 0x7f0f9f546e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #21 0x2bdb574 in _start (/home/runner/work/godot_voxel/godot_voxel/bin/godot.linuxbsd.editor.dev.x86_64.san+0x2bdb574)

0x00002c72d6df is located 53 bytes to the right of global variable '*.LC15' defined in 'core/string/ustring.cpp' (0x2c72d6a0) of size 10
  '*.LC15' is ascii string 'copy_from'
0x00002c72d6df is located 1 bytes to the left of global variable '*.LC16' defined in 'core/string/ustring.cpp' (0x2c72d6e0) of size 1
  '*.LC16' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow modules/voxel/thirdparty/fast_noise_2/src/FastNoise/Base64.h:105 in Decode
Zylann commented 1 year ago

This happens in thirdparty code. In FastNoise2 you can provide settings as a base64 string. Apparently using an empty string (by not setting any) makes FastNoise2 do wrong things. In this specific case I can check if the string is empty before calling, but I don't know what FastNoise2 will do if the string is not empty but invalid.

Zylann commented 1 year ago

Workaround in 11301e9e5705ed00a4ecb58e073fca9ee161fff0