search

bradharding / doomretro

The classic, refined DOOM source port. For Windows PC.
https://www.doomretro.com
GNU General Public License v3.0
698 stars 88 forks source link

use after free #837

Open devnexen opened 3 months ago

devnexen commented 3 months ago

I stumbled across once and could never reproduced it again. It was on the first Doom 2 level near the end attacked by two imps. hope it helps, cheers.

./doomretro -iwad ~/Contribs/DOOM2.WAD 
=================================================================
==8782==ERROR: AddressSanitizer: heap-use-after-free on address 0x5150000ce9f0 at pc 0x55c764e53526 bp 0x7ffcda3afa80 sp 0x7ffcda3afa78
READ of size 4 at 0x5150000ce9f0 thread T0
    #0 0x55c764e53525 in S_AdjustSoundParms /home/dcarlier/Contribs/doomretro/src/s_sound.c:435:33
    #1 0x55c764e53280 in S_UpdateSounds /home/dcarlier/Contribs/doomretro/src/s_sound.c:569:22
    #2 0x55c764bd94c2 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:482:13
    #3 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #4 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #5 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7fb0fb4c0d44 in __libc_start_main csu/../csu/libc-start.c:360:3
    #7 0x55c764a2fb90 in _start (/home/dcarlier/Contribs/doomretro/build/doomretro+0x108b90) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)

0x5150000ce9f0 is located 112 bytes inside of 480-byte region [0x5150000ce980,0x5150000ceb60)
freed by thread T0 here:
    #0 0x55c764aca53a in free (/home/dcarlier/Contribs/doomretro/build/doomretro+0x1a353a) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)
    #1 0x55c764e9879a in Z_Free /home/dcarlier/Contribs/doomretro/src/z_zone.c:147:5
    #2 0x55c764de242d in P_RemoveThinkerDelayed /home/dcarlier/Contribs/doomretro/src/p_tick.c:143:9
    #3 0x55c764de2c8c in P_Ticker /home/dcarlier/Contribs/doomretro/src/p_tick.c:242:9
    #4 0x55c764bf5116 in G_Ticker /home/dcarlier/Contribs/doomretro/src/g_game.c:1098:13
    #5 0x55c764bcd9e1 in TryRunTics /home/dcarlier/Contribs/doomretro/src/d_loop.c:84:9
    #6 0x55c764bd94a6 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:476:9
    #7 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #8 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #9 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x55c764aca7e2 in malloc (/home/dcarlier/Contribs/doomretro/build/doomretro+0x1a37e2) (BuildId: c4a68aca4e070dbd7c957650aadaad07394d6934)
    #1 0x55c764e97c2e in Z_Malloc /home/dcarlier/Contribs/doomretro/src/z_zone.c:78:22
    #2 0x55c764e982e2 in Z_Calloc /home/dcarlier/Contribs/doomretro/src/z_zone.c:113:39
    #3 0x55c764d62a2e in P_SpawnMobj /home/dcarlier/Contribs/doomretro/src/p_mobj.c:778:25
    #4 0x55c764d6ebcd in P_SpawnMissile /home/dcarlier/Contribs/doomretro/src/p_mobj.c:1660:10
    #5 0x55c764cf01b8 in A_TroopAttack /home/dcarlier/Contribs/doomretro/src/p_enemy.c:1164:5
    #6 0x55c764d587c7 in P_SetMobjState /home/dcarlier/Contribs/doomretro/src/p_mobj.c:84:17
    #7 0x55c764d5b000 in P_MobjThinker /home/dcarlier/Contribs/doomretro/src/p_mobj.c:751:13
    #8 0x55c764de2c8c in P_Ticker /home/dcarlier/Contribs/doomretro/src/p_tick.c:242:9
    #9 0x55c764bf5116 in G_Ticker /home/dcarlier/Contribs/doomretro/src/g_game.c:1098:13
    #10 0x55c764bcd9e1 in TryRunTics /home/dcarlier/Contribs/doomretro/src/d_loop.c:84:9
    #11 0x55c764bd94a6 in D_DoomLoop /home/dcarlier/Contribs/doomretro/src/d_main.c:476:9
    #12 0x55c764bd2bfd in D_DoomMain /home/dcarlier/Contribs/doomretro/src/d_main.c:2836:5
    #13 0x55c764bde759 in main /home/dcarlier/Contribs/doomretro/src/doomretro.c:214:5
    #14 0x7fb0fb4c0c89 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/dcarlier/Contribs/doomretro/src/s_sound.c:435:33 in S_AdjustSoundParms
Shadow bytes around the buggy address:
  0x5150000ce700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ce880: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x5150000ce900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x5150000ce980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x5150000cea00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000cea80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x5150000ceb00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x5150000ceb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5150000cec00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8782==ABORTING