[??-g94e222afe] "snd_mididevice -4" buffer overflow

[Edward-san]

When I try to switch to that device, I got this crash with the address sanitizer:

---

Code: Select all

=================================================================
==23150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290016e8a90 at pc 0x55555792dfd0 bp 0x7fffffffbec0 sp 0x7fffffffbeb0
READ of size 4 at 0x6290016e8a90 thread T0
    #0 0x55555792dfcf in rs_plain /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/resample.cpp:77
    #1 0x555557930edb in Timidity::resample_voice(Timidity::Renderer*, Timidity::Voice*, int*) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/resample.cpp:545
    #2 0x555557925c9a in Timidity::mix_voice(Timidity::Renderer*, float*, Timidity::Voice*, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/mix.cpp:713
    #3 0x555557935cbd in Timidity::Renderer::ComputeOutput(float*, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/timidity.cpp:783
    #4 0x5555578a341d in TimidityMIDIDevice::ComputeOutput(float*, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/mididevices/music_timidity_mididevice.cpp:154
    #5 0x5555578a29a9 in SoftSynthMIDIDevice::ServiceStream(void*, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/mididevices/music_softsynth_mididevice.cpp:403
    #6 0x5555578a2df3 in SoftSynthMIDIDevice::FillStream(SoundStream*, void*, int, void*) /home/edward-san/zdoom/gzdoom/trunk/src/sound/mididevices/music_softsynth_mididevice.cpp:448
    #7 0x5555567ce816 in OpenALSoundStream::Play(bool, float) /home/edward-san/zdoom/gzdoom/trunk/src/sound/oalsound.cpp:336
    #8 0x5555578a1613 in SoftSynthMIDIDevice::Resume() /home/edward-san/zdoom/gzdoom/trunk/src/sound/mididevices/music_softsynth_mididevice.cpp:204
    #9 0x5555578c9000 in MIDIStreamer::InitPlayback() /home/edward-san/zdoom/gzdoom/trunk/src/sound/musicformats/music_midistream.cpp:378
    #10 0x5555578c8484 in MIDIStreamer::Play(bool, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/musicformats/music_midistream.cpp:297
    #11 0x555557888b01 in MusInfo::Start(bool, float, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/i_music.cpp:202
    #12 0x555556ff8dc3 in S_ChangeMusic(char const*, int, bool, bool) /home/edward-san/zdoom/gzdoom/trunk/src/s_sound.cpp:2737
    #13 0x555556c68724 in D_DoAdvanceDemo() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1288
    #14 0x555556c800d0 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1990
    #15 0x555556c6746c in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1022
    #16 0x555556c70039 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2693
    #17 0x555555d879d2 in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:263
    #18 0x7ffff4edab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x555555d78739 in _start (/home/edward-san/zdoom/gzdoom/trunk/debug-asan/gzdoom+0x824739)

0x6290016e8a90 is located 0 bytes to the right of 18576-byte region [0x6290016e4200,0x6290016e8a90)
allocated by thread T0 here:
    #0 0x7ffff6ef9970 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xef970)
    #1 0x55555792000b in SFFile::LoadSample(SFSample*) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum_sf2.cpp:1517
    #2 0x55555791b97a in SFFile::LoadPercussion(Timidity::Renderer*, SFPerc*) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum_sf2.cpp:1259
    #3 0x55555791706f in SFFile::LoadInstrumentOrder(Timidity::Renderer*, int, int, int, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum_sf2.cpp:897
    #4 0x555557916ece in SFFile::LoadInstrument(Timidity::Renderer*, int, int, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum_sf2.cpp:884
    #5 0x5555579127f3 in Timidity::load_instrument_font_order(Timidity::Renderer*, int, int, int, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum_font.cpp:102
    #6 0x555557908bb8 in fill_bank /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum.cpp:586
    #7 0x5555579095a4 in Timidity::Renderer::load_missing_instruments() /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/instrum.cpp:649
    #8 0x5555578a3306 in TimidityMIDIDevice::PrecacheInstruments(unsigned short const*, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/mididevices/music_timidity_mididevice.cpp:121
    #9 0x5555578c92dd in MIDIStreamer::StartPlayback() /home/edward-san/zdoom/gzdoom/trunk/src/sound/musicformats/music_midistream.cpp:400
    #10 0x5555578c8f40 in MIDIStreamer::InitPlayback() /home/edward-san/zdoom/gzdoom/trunk/src/sound/musicformats/music_midistream.cpp:371
    #11 0x5555578c8484 in MIDIStreamer::Play(bool, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/musicformats/music_midistream.cpp:297
    #12 0x555557888b01 in MusInfo::Start(bool, float, int) /home/edward-san/zdoom/gzdoom/trunk/src/sound/i_music.cpp:202
    #13 0x555556ff8dc3 in S_ChangeMusic(char const*, int, bool, bool) /home/edward-san/zdoom/gzdoom/trunk/src/s_sound.cpp:2737
    #14 0x555556c68724 in D_DoAdvanceDemo() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1288
    #15 0x555556c800d0 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1990
    #16 0x555556c6746c in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1022
    #17 0x555556c70039 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2693
    #18 0x555555d879d2 in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:263
    #19 0x7ffff4edab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/edward-san/zdoom/gzdoom/trunk/src/sound/timidity/resample.cpp:77 in rs_plain
Shadow bytes around the buggy address:
  0x0c52802d5100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c52802d5110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c52802d5120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c52802d5130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c52802d5140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c52802d5150: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52802d5160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52802d5170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52802d5180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52802d5190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52802d51a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23150==ABORTING

I'm using as soundfont the SC-55.sf2 , if it may help.

Steps to reproduce:

Code: Select all

gzdoom -iwad DOOM2.WAD +"snd_mididevice -4"

OS: Ubuntu 18.04 x64 , with audio driver "Built-in Audio Analog Stereo".