Buffer overflow read when crashing when in cockpit view

When in-cockpit view, there is a buffer overflow read when driving into something. It is very easily reproducible, when building with the address sanitizer.

Build dethrace with:

cmake -S . -B build -DCMAKE_C_FLAGS=-fsanitize=address -GNinja
cmake --build build

Start a new race in build/dethrace
Toggle to cockpit view (C key)
Drive into something. I can reproduce it by simply crashing into an opponent when starting the race.
The game crashes...

Terminal log

``` ==52185==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000003fe44 at pc 0x7fb7cd249e0b bp 0x7ffe4d2d3da0 sp 0x7ffe4d2d3550 READ of size 320 at 0x63000003fe44 thread T0 #0 0x7fb7cd249e0a in __interceptor_memcpy (/lib64/libasan.so.8+0x49e0a) #1 0x7fb7c890ccd9 in util_copy_rect (/usr/lib64/dri/crocus_dri.so+0x10ccd9) #2 0x7fb7c8e0551a in util_copy_box (/usr/lib64/dri/crocus_dri.so+0x60551a) #3 0x7fb7c93e1372 in u_default_texture_subdata (/usr/lib64/dri/crocus_dri.so+0xbe1372) #4 0x7fb7c8979869 in st_TexSubImage (/usr/lib64/dri/crocus_dri.so+0x179869) #5 0x7fb7c897a34f in st_TexImage (/usr/lib64/dri/crocus_dri.so+0x17a34f) #6 0x7fb7c894049a in teximage_err (/usr/lib64/dri/crocus_dri.so+0x14049a) #7 0x7fb7c89428f4 in _mesa_TexImage2D (/usr/lib64/dri/crocus_dri.so+0x1428f4) #8 0x6dea11 in GLRenderer_SetBlendTable /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:330 #9 0x6e2f0d in setActiveMaterial /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:537 #10 0x6e3cac in GLRenderer_Model /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:591 #11 0x6d96de in Harness_Hook_renderActor /home/maarten/programming/dethrace/src/harness/harness.c:376 #12 0x7565f9 in renderFaces /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/modrend.c:67 #13 0x72e4f4 in BrDbModelRender /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:32 #14 0x72f2ee in actorRender /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:142 #15 0x72ffb8 in sceneRenderAdd /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:254 #16 0x730862 in BrZbSceneRenderAdd /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:332 #17 0x4c88d8 in DoHorizon /home/maarten/programming/dethrace/src/DETHRACE/common/depth.c:552 #18 0x4c8da0 in DepthEffectSky /home/maarten/programming/dethrace/src/DETHRACE/common/depth.c:600 #19 0x508501 in RenderAFrame /home/maarten/programming/dethrace/src/DETHRACE/common/graphics.c:1675 #20 0x5512a9 in MainGameLoop /home/maarten/programming/dethrace/src/DETHRACE/common/mainloop.c:594 #21 0x55245e in DoRace /home/maarten/programming/dethrace/src/DETHRACE/common/mainloop.c:726 #22 0x66b497 in DoGame /home/maarten/programming/dethrace/src/DETHRACE/common/structur.c:540 #23 0x66c0e1 in DoProgram /home/maarten/programming/dethrace/src/DETHRACE/common/structur.c:647 #24 0x54ccfb in GameMain /home/maarten/programming/dethrace/src/DETHRACE/common/main.c:105 #25 0x6ba1c4 in original_main /home/maarten/programming/dethrace/src/DETHRACE/pc-dos/dossys.c:674 #26 0x6bb884 in main /home/maarten/programming/dethrace/src/DETHRACE/main.c:32 #27 0x7fb7ccc2950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) #28 0x7fb7ccc295c8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x295c8) #29 0x404ce4 in _start (/home/maarten/programming/dethrace/cmake-build-debug-asan/dethrace+0x404ce4) 0x63000003fe44 is located 0 bytes to the right of 64068-byte region [0x630000030400,0x63000003fe44) allocated by thread T0 here: #0 0x7fb7cd2ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af) #1 0x4db55e in DRStdlibAllocate /home/maarten/programming/dethrace/src/DETHRACE/common/drmem.c:301 #2 0x6eb0bc in BrMemAllocate /home/maarten/programming/dethrace/src/BRSRC13/CORE/FW/mem.c:12 #3 0x6ed33d in BrResAllocate /home/maarten/programming/dethrace/src/BRSRC13/CORE/FW/resource.c:67 #4 0x715efd in DevicePixelmapMemAllocate /home/maarten/programming/dethrace/src/BRSRC13/CORE/PIXELMAP/pmmem.c:150 #5 0x717731 in _M_br_device_pixelmap_mem_match /home/maarten/programming/dethrace/src/BRSRC13/CORE/PIXELMAP/pmmem.c:333 #6 0x710967 in BrPixelmapMatch /home/maarten/programming/dethrace/src/BRSRC13/CORE/PIXELMAP/pmdsptch.c:72 #7 0x6b8323 in PDAllocateScreenAndBack /home/maarten/programming/dethrace/src/DETHRACE/pc-dos/dossys.c:373 #8 0x4faf9f in SetBRenderScreenAndBuffers /home/maarten/programming/dethrace/src/DETHRACE/common/graphics.c:523 #9 0x5153ee in InitializeBRenderEnvironment /home/maarten/programming/dethrace/src/DETHRACE/common/init.c:254 #10 0x515f28 in InitialiseApplication /home/maarten/programming/dethrace/src/DETHRACE/common/init.c:359 #11 0x5161b0 in InitialiseDeathRace /home/maarten/programming/dethrace/src/DETHRACE/common/init.c:410 #12 0x54ccf6 in GameMain /home/maarten/programming/dethrace/src/DETHRACE/common/main.c:104 #13 0x6ba1c4 in original_main /home/maarten/programming/dethrace/src/DETHRACE/pc-dos/dossys.c:674 #14 0x6bb884 in main /home/maarten/programming/dethrace/src/DETHRACE/main.c:32 #15 0x7fb7ccc2950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x49e0a) in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c607fffff70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c607fffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c607fffff90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c607fffffa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c607fffffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c607fffffc0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa 0x0c607fffffd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c607fffffe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c607ffffff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6080000000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c6080000010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==52185==ABORTING ```

By setting the environment variable ASAN_OPTIONS=abort_on_error=0 (before starting dethrace), I was able to attach a debugger and get the following stack trace:

Stacktrace of crashing into something in cockpit view with address sanitizer

``` #0 0x00007ffff78e4840 in __sanitizer::Die() () at /lib64/libasan.so.8 #1 0x00007ffff78c3c3e in __asan::ScopedInErrorReport::~ScopedInErrorReport() () at /lib64/libasan.so.8 #2 0x00007ffff78c31a6 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) () at /lib64/libasan.so.8 #3 0x00007ffff7849e2a in memcpy () at /lib64/libasan.so.8 #4 0x00007ffff340551b in util_copy_box () at /usr/lib64/dri/crocus_dri.so #5 0x00007ffff39e1373 in u_default_texture_subdata () at /usr/lib64/dri/crocus_dri.so #6 0x00007ffff2f7986a in st_TexSubImage () at /usr/lib64/dri/crocus_dri.so #7 0x00007ffff2f7a350 in st_TexImage () at /usr/lib64/dri/crocus_dri.so #8 0x00007ffff2f4049b in teximage_err () at /usr/lib64/dri/crocus_dri.so #9 0x00007ffff2f428f5 in _mesa_TexImage2D () at /usr/lib64/dri/crocus_dri.so #10 0x00000000006dea12 in GLRenderer_SetBlendTable (table=0x60d0000f2dc8) at /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:330 stored = 0x10008c8d0 #11 0x00000000006e2f0e in setActiveMaterial (material=0x6110000f89c0) at /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:537 #12 0x00000000006e3cad in GLRenderer_Model (actor=0x610000385a68, model=0x60e000026168, model_matrix=..., render_type=BRT_TRIANGLE) at /home/maarten/programming/dethrace/src/harness/renderers/gl/gl_renderer.c:591 ctx = 0x6030000e7ee0 v11 = 0x62400030e140 m = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} __FUNCTION__ = {71 'G', 76 'L', 82 'R', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 101 'e', 114 'r', 95 '_', 77 'M', 111 'o', 100 'd', 101 'e', 108 'l', 0 '\000'} group = 0x7ffff3d68abc element_index = -2145537999 #13 0x00000000006d96df in Harness_Hook_renderActor (actor=0x610000385a68, model=0x60e000026168, material=0x6110000f88a8, type=BRT_TRIANGLE) at /home/maarten/programming/dethrace/src/harness/harness.c:376 #14 0x00000000007565fa in renderFaces (actor=0x610000385a68, model=0x60e000026168, material=0x6110000f88a8, render_data=0x0, style=4 '\004', on_screen=1) at /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/modrend.c:67 __FUNCTION__ = {114 'r', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 70 'F', 97 'a', 99 'c', 101 'e', 115 's', 0 '\000'} #15 0x000000000072e4f5 in BrDbModelRender (actor=0x610000385a68, model=0x60e000026168, material=0x6110000f88a8, render_data=0x0, style=4 '\004', on_screen=1, use_custom=1) at /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:32 __FUNCTION__ = {66 'B', 114 'r', 68 'D', 98 'b', 77 'M', 111 'o', 100 'd', 101 'e', 108 'l', 82 'R', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 0 '\000'} #16 0x000000000072f2ef in actorRender (ap=0x610000385a68, model=0x60e000000068, material=0x611000000068, render_data=0x0, style=4 '\004', t=0) at /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:142 this_material = 0x6110000f88a8 this_model = 0x60e000026168 this_render_data = 0x0 a = 0x2ffffd5d0 s = BRT_NONE __FUNCTION__ = {97 'a', 99 'c', 116 't', 111 'o', 114 'r', 82 'R', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 0 '\000'} #17 0x000000000072ffb9 in sceneRenderAdd (tree=0x610000385a68) at /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:254 material = 0x611000000068 model = 0x60e000000068 render_data = 0x0 style = 0 '\000' a = 0x0 t = 0 m = {m = {{1, 0, 0}, {0, 1, 0}, {0, 0, 1}, {0, 0, 0}}} __FUNCTION__ = {115 's', 99 'c', 101 'e', 110 'n', 101 'e', 82 'R', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 65 'A', 100 'd', 100 'd', 0 '\000'} #18 0x0000000000730863 in BrZbSceneRenderAdd (tree=0x610000385a68) at /home/maarten/programming/dethrace/src/BRSRC13/CORE/V1DB/render.c:332 #19 0x00000000004c88d9 in DoHorizon (pRender_buffer=0x60d0000e48a8, pDepth_buffer=0x60d0000e4978, pCamera=0x610000384468, pCamera_to_world=0xba1360 ) at /home/maarten/programming/dethrace/src/DETHRACE/common/depth.c:552 yaw = 30646 actor = 0x610000385a68 __FUNCTION__ = {68 'D', 111 'o', 72 'H', 111 'o', 114 'r', 105 'i', 122 'z', 111 'o', 110 'n', 0 '\000'} #20 0x00000000004c8da1 in DepthEffectSky (pRender_buffer=0x60d0000e48a8, pDepth_buffer=0x60d0000e4978, pCamera=0x610000384468, pCamera_to_world=0xba1360 ) at /home/maarten/programming/dethrace/src/DETHRACE/common/depth.c:600 __FUNCTION__ = {68 'D', 101 'e', 112 'p', 116 't', 104 'h', 69 'E', 102 'f', 102 'f', 101 'e', 99 'c', 116 't', 83 'S', 107 'k', 121 'y', 0 '\000'} #21 0x0000000000508502 in RenderAFrame (pDepth_mask_on=1) at /home/maarten/programming/dethrace/src/DETHRACE/common/graphics.c:1675 cat = 1 i = 0 car_count = 0 flags = 65535 x_shift = 0 y_shift = 24 cockpit_on = 1 real_origin_x = 0 real_origin_y = 0 real_base_x = 0 real_base_y = 0 map_timer_x = -10016 map_timer_width = 0 ped_type = 32767 old_pixels = 0x7fffea462840 "\360\360\360\360\360\360\360\360\360\360\360\360\260\360\360\360\260\b\261\343\266\307\036\026\r\264\r\264\253\252\002\021\t\001\001\020\020\b\260\260\260\360\260\360\360\360\360\360\360\260\260\020\001\001\001\260\260\360\360\360\360\360\360\360\360\360\360\360\360\360𰰰\273'ƴ\275\022\251\252\264\253\360\360\360\360\360\360\360\360\360\360\360\360\360\360\360\360\360\260\260\322\322\322\322\322\322HHHHH\344\344\345\345\345\365\365\344\344\320\340\340\340\340\340\340\340\340\340\340\340\320\340\340\340\320\340\340\340\340\340\340\340\340\340\340\340\340\341\342\340\340\340\340\340\360\341\320\340\340\341\340\341\341\342\342\343\343\364\364\344\344\345\345\345\345\345\344\344\344\344\344\344H\344\345\346\345H\342\342\320\340\340\320\343\342\343\343H\343\343\343H\322\344HHH\345H\345\345\345\345\345\345\345\323\344\344\322\343\343\342\342\342\321\342\342\341\341\341\341\340\340\340\340\320\343\321\342\342\343\342\321\343H\344\345\345H"... old_camera_matrix = {m = {{1, 0, 0}, {0, 1, 0}, {0, 0, 1}, {-0.0799999982, 0.179000005, 0}}} old_mirror_cam_matrix = {m = {{1, 0, 0}, {0, 1, 0}, {0, 0, -1}, {0, 0.174999997, 0.200000003}}} the_time = 28467 car_pos = 0x61b000000080 pos = {v = {-nan(0x7fd840), 4.59163468e-41, 1.70697211e-38}} the_text = {-32 '\340', -40 '\330', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', 24 '\030', 0 '\000', 0 '\000', 0 '\000', 14 '\016', -128 '\200', 0 '\000', 0 '\000', -32 '\340', -40 '\330', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -96 '\240', -39 '\331', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', 28 '\034', -5 '\373', -1 '\377', -1 '\377', -1 '\377', 15 '\017', 0 '\000', 0 '\000', -32 '\340', -40 '\330', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -96 '\240', -40 '\330', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', 110 'n', -107 '\225', 107 'k', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -64 '\300', -40 '\330', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -44 '\324', -113 '\217', 81 'Q', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -74 '\266', 108 'l', 101 'e', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 96 '`', -12 '\364', -104 '\230', 0 '\000', 90 'Z', 0 '\000', 0 '\000', 0 '\000', -64 '\300', -39 '\331', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -96 '\240', -62 '\302', 74 'J', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -32 '\340', 50 '2', -69 '\273', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -77 '\263', -118 '\212', -75 '\265', 65 'A', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -88 '\250', -76 '\264', -110 '\222', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 38 '&', -62 '\302', 74 'J', 0 '\000', -51 '\315', -52 '\314', -52 '\314', 61 '=', -124 '\204', 19 '\023', -70 '\272', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 84 'T', 47 '/', -68 '\274', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -32 '\340', -109 '\223', 56 '8', 0 '\000', 0 '\000', 97 'a', 0 '\000', 0 '\000', -80 '\260', -39 '\331', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -56 '\310', 62 '>', 86 'V', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -77 '\263', -118 '\212', -75 '\265', 65 'A', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 84 'T', 47 '/', -68 '\274', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 72 'H', 47 '/', -68 '\274', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -32 '\340', -109 '\223', 56 '8', 0 '\000', 0 '\000', 97 'a', 0 '\000', 0 '\000', -15 '\361', 28 '\034', 0 '\000', 0 '\000', -51 '\315', -52 '\314', -52 '\314', 61 '=', 28 '\034', 81 'Q', -68 '\274', 64 '@', -115 '\215', -8 '\370', 8 '\b', 61 '=', -77 '\263', -118 '\212', -75 '\265', 65 'A', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 32 ' ', 102 'f', -107 '\225', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000'...} car = 0x7fffffffd840 __FUNCTION__ = {82 'R', 101 'e', 110 'n', 100 'd', 101 'e', 114 'r', 65 'A', 70 'F', 114 'r', 97 'a', 109 'm', 101 'e', 0 '\000'} #22 0x00000000005512aa in MainGameLoop () at /home/maarten/programming/dethrace/src/DETHRACE/common/mainloop.c:594 camera_period = 66 start_menu_time = 7120291 frame_start_time = 28466 result = 10024032 tried_to_allocate_AR = 1 i = 7231524 bonus = 0 __FUNCTION__ = {77 'M', 97 'a', 105 'i', 110 'n', 71 'G', 97 'a', 109 'm', 101 'e', 76 'L', 111 'o', 111 'o', 112 'p', 0 '\000'} #23 0x000000000055245f in DoRace () at /home/maarten/programming/dethrace/src/DETHRACE/common/mainloop.c:726 result = 25152 __FUNCTION__ = {68 'D', 111 'o', 82 'R', 97 'a', 99 'c', 101 'e', 0 '\000'} #24 0x000000000066b498 in DoGame () at /home/maarten/programming/dethrace/src/DETHRACE/common/structur.c:540 options_result = eSO_continue race_result = eRace_game_abandonned second_select_race = 1 first_summary_done = -9488 i = 32767 __FUNCTION__ = {68 'D', 111 'o', 71 'G', 97 'a', 109 'm', 101 'e', 0 '\000'} #25 0x000000000066c0e2 in DoProgram () at /home/maarten/programming/dethrace/src/DETHRACE/common/structur.c:647 #26 0x000000000054ccfc in GameMain (pArgc=3, pArgv=0x7fffffffdf18) at /home/maarten/programming/dethrace/src/DETHRACE/common/main.c:105 CD_dir = {118 'v', -5 '\373', -1 '\377', -1 '\377', -1 '\377', 15 '\017', 0 '\000', 0 '\000', 16 '\020', -36 '\334', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -80 '\260', -37 '\333', -1 '\377', -1 '\377', -1 '\377', 127 '\177', 0 '\000', 0 '\000', 17 '\021', 122 'z', 109 'm', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -32 '\340', -70 '\272', -104 '\230', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 96 '`', -66 '\276', -104 '\230', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 64 '@', -74 '\266', -104 '\230', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -77 '\263', -118 '\212', -75 '\265', 65 'A', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 32 ' ', -82 '\256', -104 '\230', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 2 '\002', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 109 'm', 73 'I', 40 '(', -9 '\367', -1 '\377', 127 '\177', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', -128 '\200', -105 '\227', 63 '?', -9 '\367', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -32 '\340', 85 'U', 63 '?', -9 '\367', -1 '\377', 127 '\177', 0 '\000', 0 '\000', -128 '\200', 0 '\000', 0 '\000', 0 '\000', -112 '\220', 97 'a', 0 '\000', 0 '\000', 104 'h', 13 '\r', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 0 '\000', 16 '\020', 61 '=', 40 '(', -9 '\367', -1 '\377', 127 '\177', 0 '\000', 0 '\000'...} #27 0x00000000006ba1c5 in original_main (pArgc=3, pArgv=0x7fffffffdf18) at /home/maarten/programming/dethrace/src/DETHRACE/pc-dos/dossys.c:674 arg = 123 i = 3 f = -nan(0x7fdd80) #28 0x00000000006bb885 in main (argc=3, argv=0x7fffffffdf18) at /home/maarten/programming/dethrace/src/DETHRACE/main.c:32 #29 0x00007ffff7229510 in __libc_start_call_main () at /lib64/libc.so.6 #30 0x00007ffff72295c9 in __libc_start_main_impl () at /lib64/libc.so.6 #31 0x0000000000404ce5 in _start () ```

I think the GLRenderer_SetBlendTable frame is key. https://github.com/dethrace-labs/dethrace/blob/256ab39925f8d3fc5c0e79ee2b9d92c9b3551ebc/src/harness/renderers/gl/gl_renderer.c#L330

(gdb) p render_width
$1 = 640
(gdb) p render_height
$2 = 480
(gdb) p last_colour_buffer->width
$3 = 640
(gdb) p last_colour_buffer->height
$4 = 387

Applying the following (quicly written) patch fixes the crash:

--- a/src/harness/renderers/gl/gl_renderer.c
+++ b/src/harness/renderers/gl/gl_renderer.c
@@ -321,13 +321,15 @@ void GLRenderer_SetShadeTable(br_pixelmap* table) {
     current_shade_table = table;
 }

+#define MIN(X, Y) (((X) <= (Y)) ? (X) : (Y))
+
 void GLRenderer_SetBlendTable(br_pixelmap* table) {

     if (flush_counter != colourbuffer_upload_counter) {
         GLRenderer_FlushBuffers(eFlush_color_buffer);
         glActiveTexture(GL_TEXTURE4);
         glBindTexture(GL_TEXTURE_2D, current_colourbuffer_texture);
-        glTexImage2D(GL_TEXTURE_2D, 0, GL_R8UI, render_width, render_height, 0, GL_RED_INTEGER, GL_UNSIGNED_BYTE, last_colour_buffer->pixels);
+        glTexImage2D(GL_TEXTURE_2D, 0, GL_R8UI, MIN(render_width, last_colour_buffer->width), MIN(render_height, last_colour_buffer->height), 0, GL_RED_INTEGER, GL_UNSIGNED_BYTE, last_colour_buffer->pixels);
         colourbuffer_upload_counter = flush_counter;
     }

dethrace-labs / dethrace

Buffer overflow read when crashing when in cockpit view #293