Buffer overflow when using ImmediateGeometry and InterpolatedCamera

godotengine / godot

Godot Engine – Multi-platform 2D and 3D game engine

MIT License

87.36k stars 19.63k forks source link

Godot version: 3.2.4.rc.custom_build. b169a16cb

OS Ubuntu 20.04 - Ubuntu 3.36 X11

Issue description: When using ImmediateGeometry and InterpolatedCamera, then Godot start to use invalid memory(happens both with GLES2 and GLES3)

==71742==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000297208 at pc 0x7f72922626aa bp 0x7ffe0dffd130 sp 0x7ffe0dffc8d8
READ of size 16 at 0x603000297208 thread T0
    #0 0x7f72922626a9 in __interceptor_memcpy (/lib/x86_64-linux-gnu/libasan.so.6+0x3a6a9)
    #1 0x7f72823b65c8  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xf4b5c8)
    #2 0x7f728225ad1d  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xdefd1d)
    #3 0x7f72821ff99d  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xd9499d)
    #4 0x7f7282202c8a  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xd97c8a)
    #5 0x7f7281e907f3  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xa257f3)
    #6 0x7f7281e909ab  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.460.56+0xa259ab)
    #7 0x7ae579d in RasterizerSceneGLES3::_render_geometry(RasterizerSceneGLES3::RenderList::Element*) (/usr/bin/godots+0x7ae579d)
    #8 0x79f174c in RasterizerSceneGLES3::_render_list(RasterizerSceneGLES3::RenderList::Element**, int, Transform const&, CameraMatrix const&, RasterizerStorageGLES3::Sky*, bool, bool, bool, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2245
    #9 0x7a70da1 in RasterizerSceneGLES3::render_scene(Transform const&, CameraMatrix const&, bool, RasterizerScene::InstanceBase**, int, RID*, int, RID*, int, RID, RID, RID, RID, int) drivers/gles3/rasterizer_scene_gles3.cpp:4239
    #10 0x10438271 in VisualServerScene::_render_scene(Transform, CameraMatrix const&, bool, RID, RID, RID, RID, int) servers/visual/visual_server_scene.cpp:2367
    #11 0x1042597f in VisualServerScene::render_camera(RID, RID, Vector2, RID) servers/visual/visual_server_scene.cpp:1937
    #12 0x10554fc6 in VisualServerViewport::_draw_3d(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:78
    #13 0x105571fd in VisualServerViewport::_draw_viewport(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:110
    #14 0x10562fa3 in VisualServerViewport::draw_viewports() servers/visual/visual_server_viewport.cpp:348
    #15 0x103b217d in VisualServerRaster::draw(bool, double) servers/visual/visual_server_raster.cpp:108
    #16 0x10595094 in VisualServerWrapMT::draw(bool, double) servers/visual/visual_server_wrap_mt.cpp:102
    #17 0x18de7f3 in Main::iteration() main/main.cpp:2132
    #18 0x17c1bd2 in OS_X11::run() platform/x11/os_x11.cpp:3641
    #19 0x172defb in main platform/x11/godot_x11.cpp:56
    #20 0x7f729115f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #21 0x172db1d in _start (/usr/bin/godots+0x172db1d)

0x603000297208 is located 0 bytes to the right of 24-byte region [0x6030002971f0,0x603000297208)
allocated by thread T0 here:
    #0 0x7f72922d8517 in malloc (/lib/x86_64-linux-gnu/libasan.so.6+0xb0517)
    #1 0x11a939f9 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:82
    #2 0x19c0263 in CowData<Vector2>::resize(int) core/cowdata.h:287
    #3 0x19b9774 in Vector<Vector2>::resize(int) core/vector.h:84
    #4 0x19b9a74 in Vector<Vector2>::push_back(Vector2) core/vector.h:152
    #5 0x7bebb2d in RasterizerStorageGLES3::immediate_vertex(RID, Vector3 const&) drivers/gles3/rasterizer_storage_gles3.cpp:5236
    #6 0x103c721b in VisualServerRaster::immediate_vertex(RID, Vector3 const&) servers/visual/visual_server_raster.h:280
    #7 0x105ddf8d in VisualServerWrapMT::immediate_vertex(RID, Vector3 const&) servers/visual/visual_server_wrap_mt.h:217
    #8 0xd495dd4 in ImmediateGeometry::add_vertex(Vector3 const&) scene/3d/immediate_geometry.cpp:67
    #9 0x3342243 in MethodBind1<Vector3 const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:775
    #10 0x1155104d in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:919
    #11 0x117d6f43 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1148
    #12 0x1d9a4fb in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1086
    #13 0x1bcabfb in GDScriptInstance::call(StringName const&, Variant const**, int, Variant::CallError&) modules/gdscript/gdscript.cpp:1208
    #14 0x11550bbd in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:898
    #15 0x117d6f43 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1148
    #16 0x1d9a4fb in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1086
    #17 0x1bcb10e in GDScriptInstance::call_multilevel(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1224
    #18 0xc0512f3 in Node::_notification(int) scene/main/node.cpp:60
    #19 0x1a7971b in Node::_notificationv(int, bool) scene/main/node.h:46
    #20 0x1a7bb90 in CanvasItem::_notificationv(int, bool) scene/2d/canvas_item.h:166
    #21 0xdb3db1e in Node2D::_notificationv(int, bool) scene/2d/node_2d.h:38
    #22 0x115514e7 in Object::notification(int, bool) core/object.cpp:929
    #23 0xc18035f in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:992
    #24 0xc1708ed in SceneTree::idle(float) scene/main/scene_tree.cpp:529
    #25 0x18dda96 in Main::iteration() main/main.cpp:2117
    #26 0x17c1bd2 in OS_X11::run() platform/x11/os_x11.cpp:3641
    #27 0x172defb in main platform/x11/godot_x11.cpp:56
    #28 0x7f729115f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.6+0x3a6a9) in __interceptor_memcpy

Minimal Project GDScript.zip

================================================================= ==301346==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300035f998 at pc 0x7f9e2c0f1490 bp 0x7fff24ceff10 sp 0x7fff24cef6b8 READ of size 16 at 0x60300035f998 thread T0 #0 0x7f9e2c0f148f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 #1 0x7f9e1b059193 (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0x1059193) #2 0x7f9e1af222cd (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0xf222cd) #3 0x7f9e1aed68fd (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0xed68fd) #4 0x7f9e1aed9cba (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0xed9cba) #5 0x7f9e1ab5ade3 (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0xb5ade3) #6 0x7f9e1ab5af91 (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.65.01+0xb5af91) #7 0x820fb45 in RasterizerSceneGLES3::_render_geometry(RasterizerSceneGLES3::RenderList::Element*) (/usr/bin/godots+0x820fb45) #8 0x810e623 in RasterizerSceneGLES3::_render_list(RasterizerSceneGLES3::RenderList::Element**, int, Transform const&, CameraMatrix const&, RasterizerStorageGLES3::Sky*, bool, bool, bool, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2206 #9 0x81920fd in RasterizerSceneGLES3::render_scene(Transform const&, CameraMatrix const&, int, bool, RasterizerScene::InstanceBase**, int, RID*, int, RID*, int, RID, RID, RID, RID, int) drivers/gles3/rasterizer_scene_gles3.cpp:4212 #10 0x11c97c40 in VisualServerScene::_render_scene(Transform, CameraMatrix const&, int, bool, RID, RID, RID, RID, int) servers/visual/visual_server_scene.cpp:3324 #11 0x11c83d74 in VisualServerScene::render_camera(RID, RID, Vector2, RID) servers/visual/visual_server_scene.cpp:2894 #12 0x11de3047 in VisualServerViewport::_draw_3d(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:76 #13 0x11de530f in VisualServerViewport::_draw_viewport(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:106 #14 0x11df1a92 in VisualServerViewport::draw_viewports() servers/visual/visual_server_viewport.cpp:342 #15 0x11bdb3b6 in VisualServerRaster::draw(bool, double) servers/visual/visual_server_raster.cpp:115 #16 0x11e254d0 in VisualServerWrapMT::draw(bool, double) servers/visual/visual_server_wrap_mt.cpp:85 #17 0x1a6b26b in Main::iteration() main/main.cpp:2361 #18 0x1931c57 in OS_X11::run() platform/x11/os_x11.cpp:4035 #19 0x188d12c in main platform/x11/godot_x11.cpp:59 #20 0x7f9e2b512d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) #21 0x7f9e2b512e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) #22 0x188cd1d in _start (/usr/bin/godots+0x188cd1d) 0x60300035f998 is located 0 bytes to the right of 24-byte region [0x60300035f980,0x60300035f998) allocated by thread T0 here: #0 0x7f9e2c163808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x13522b6f in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75 #2 0x1b57e0f in CowData<Vector2>::resize(int) core/cowdata.h:279 #3 0x1b5122e in Vector<Vector2>::resize(int) core/vector.h:87 #4 0x1b5152e in Vector<Vector2>::push_back(Vector2) core/vector.h:188 #5 0x831ba43 in RasterizerStorageGLES3::immediate_vertex(RID, Vector3 const&) drivers/gles3/rasterizer_storage_gles3.cpp:5057 #6 0x11bf1988 in VisualServerRaster::immediate_vertex(RID, Vector3 const&) servers/visual/visual_server_raster.h:299 #7 0x11e72bfb in VisualServerWrapMT::immediate_vertex(RID, Vector3 const&) servers/visual/visual_server_wrap_mt.h:222 #8 0xe684296 in ImmediateGeometry::add_vertex(Vector3 const&) scene/3d/immediate_geometry.cpp:61 #9 0x37a9384 in MethodBind1<Vector3 const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:759 #10 0x12f39650 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918 #11 0x131f2ce4 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1237 #12 0x1f81a72 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1050 #13 0x1db0435 in GDScriptInstance::call(StringName const&, Variant const**, int, Variant::CallError&) modules/gdscript/gdscript.cpp:1196 #14 0x12f391bd in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:899 #15 0x131f2ce4 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1237 #16 0x1f81a72 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1050 #17 0x1db094b in GDScriptInstance::call_multilevel(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1211 #18 0xd0e098f in Node::_notification(int) scene/main/node.cpp:58 #19 0x1c5731d in Node::_notificationv(int, bool) scene/main/node.h:47 #20 0x1c597d1 in CanvasItem::_notificationv(int, bool) scene/2d/canvas_item.h:163 #21 0xcf37453 in Node2D::_notificationv(int, bool) scene/2d/node_2d.h:37 #22 0x12f39aec in Object::notification(int, bool) core/object.cpp:927 #23 0xd23a2f5 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:1133 #24 0xd228942 in SceneTree::idle(float) scene/main/scene_tree.cpp:636 #25 0x1a6a159 in Main::iteration() main/main.cpp:2337 #26 0x1931c57 in OS_X11::run() platform/x11/os_x11.cpp:4035 #27 0x188d12c in main platform/x11/godot_x11.cpp:59 #28 0x7f9e2b512d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy

godotengine / godot

Buffer overflow when using ImmediateGeometry and InterpolatedCamera #47066