To reproduce immediately:
Code: Select all
zdoom -iwad doom2.wad -warp 01 +screenblocks 10 +vid_aspect 4 +vid_defheight 500 +vid_defwidth 800
Spoiler:From gdb:Code: Select all
================================================================= ==8812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800003b50d at pc 0x0000005d6a34 bp 0x7fffffffbe10 sp 0x7fffffffbe00 READ of size 1 at 0x60800003b50d thread T0 #0 0x5d6a33 in rt_map1col_c /home/edward-san/zdoom/trunk/src/r_drawt.cpp:176 #1 0x5dd4b3 in rt_draw4cols(int) /home/edward-san/zdoom/trunk/src/r_drawt.cpp:967 #2 0xc70683 in DCanvas::DrawTextureParms(FTexture*, DrawParms&) /home/edward-san/zdoom/trunk/src/v_draw.cpp:317 #3 0xc6eee2 in DCanvas::DrawTexture(FTexture*, double, double, int, ...) /home/edward-san/zdoom/trunk/src/v_draw.cpp:129 #4 0xe40346 in DSBarInfo::DrawString(FFont*, char const*, SBarInfoCoordinate, SBarInfoCoordinate, int, int, double, bool, EColorRange, int, bool, int, int) const /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:1501 #5 0xe4604e in CommandDrawString::Draw(SBarInfoMainBlock const*, DSBarInfo const*) /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo_commands.cpp:695 #6 0xe38d58 in SBarInfoCommandFlowControl::Draw(SBarInfoMainBlock const*, DSBarInfo const*) /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:214 #7 0xe3999d in SBarInfoMainBlock::Draw(SBarInfoMainBlock const*, DSBarInfo const*, int, int, double) /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:332 #8 0xe3b66a in DSBarInfo::Draw(EHudState) /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:1089 #9 0x8515e5 in D_Display() /home/edward-san/zdoom/trunk/src/d_main.cpp:815 #10 0x852c99 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1015 #11 0x859e98 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2645 #12 0x5acbb5 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317 #13 0x7ffff3be682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x59dfc8 in _start (/home/edward-san/zdoom/trunk/debug_san/zdoom+0x59dfc8) 0x60800003b50d is located 14 bytes to the right of 95-byte region [0x60800003b4a0,0x60800003b4ff) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x90a2d0 in M_Malloc_Dbg(unsigned long, char const*, int) /home/edward-san/zdoom/trunk/src/m_alloc.cpp:135 #2 0x748f54 in FRemapTable::Alloc(int) /home/edward-san/zdoom/trunk/src/r_data/r_translate.cpp:112 #3 0x74934e in FRemapTable::operator=(FRemapTable const&) /home/edward-san/zdoom/trunk/src/r_data/r_translate.cpp:169 #4 0x74922d in FRemapTable::FRemapTable(FRemapTable const&) /home/edward-san/zdoom/trunk/src/r_data/r_translate.cpp:148 #5 0xc8dbee in TArray<FRemapTable, FRemapTable>::Push(FRemapTable const&) /home/edward-san/zdoom/trunk/src/tarray.h:243 #6 0xc8001a in FFont::BuildTranslations(double const*, unsigned char const*, void const*, int, PalEntry const*) /home/edward-san/zdoom/trunk/src/v_font.cpp:692 #7 0xc89a34 in FSpecialFont::LoadTranslations() /home/edward-san/zdoom/trunk/src/v_font.cpp:2009 #8 0xc8937f in FSpecialFont::FSpecialFont(char const*, int, int, FTexture**, bool const*, int) /home/edward-san/zdoom/trunk/src/v_font.cpp:1955 #9 0xc8ab8a in V_InitCustomFonts() /home/edward-san/zdoom/trunk/src/v_font.cpp:2207 #10 0xc8c4d3 in V_InitFonts() /home/edward-san/zdoom/trunk/src/v_font.cpp:2573 #11 0xc1ddb9 in R_Init() /home/edward-san/zdoom/trunk/src/r_utility.cpp:339 #12 0x859166 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2461 #13 0x5acbb5 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317 #14 0x7ffff3be682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/edward-san/zdoom/trunk/src/r_drawt.cpp:176 rt_map1col_c Shadow bytes around the buggy address: 0x0c107ffff650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff660: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff670: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff680: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff690: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 =>0x0c107ffff6a0: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff6b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff6c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff6d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff6e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 0x0c107ffff6f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 07 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==8812==ABORTING
Spoiler:Code: Select all
#0 0x00000000005d6a34 in rt_map1col_c (hx=3, sx=43, yl=467, yh=469) at /home/edward-san/zdoom/trunk/src/r_drawt.cpp:176 colormap = 0x60800003b4a0 "" source = 0x1787873 <dc_tempbuff+1875> "\022iimmjjmmjjmmjjmmjjmmjjmmjjmmjjmmiimmiimmiimmiimmiiooiiooiiooiinniinnkkmmkkmmjjoojjoojjookkookkooiiooiiookknnkknnkknnmmmmmmmm" dest = 0x7fffe185950b "mhhffiiihhjjjhhgggaaaaaeeeeeffgggddgggggggghhgggggccceedddcceeeggggggggggooggg``iii", 'g' <repeats 15 times>, "eeeeedddddeeiiieeggghhiiigghhhiiiiikkkkkiiiiillllljjkkkjjmmmhhjjjhheeeddhhhjjiiihhhhhhhmmmmmeeeffiiigg"... count = 1 pitch = 856 #1 0x00000000005dd4b4 in rt_draw4cols (sx=40) at /home/edward-san/zdoom/trunk/src/r_drawt.cpp:967 drawcount = 0 x = 3 bad = 0 maxtop = 501 minbot = 469 minnexttop = 501 #2 0x0000000000c70684 in DCanvas::DrawTextureParms (this=0x61d000186080, img=0x60b0000a1890, parms=...) at /home/edward-san/zdoom/trunk/src/v_draw.cpp:317 yscale = 2.34375 frac = 104856 stop4 = 72 iyscale = 0.42666666666666669 x2 = 75 pixels = 0x611000212910 "\001\a\a\b\n\n\b\a\a\022\001\f\n\t\001\022\001\r\r\r\r\016\f\r\a\022\001\021\020\v\001\022\001\v\b\n\b\b\r\r\t\001\001\021\017\v\001\022\001\f\n\a\001\001\016\f\t\001\001\021\r\n\001\022\001\016\n\b\001\001\017\v\b\001\001\021\r\t\001\022\001\017\b\a\001\001\020\t\a\001\001\016\n\t\001\022\001\017\t\a\001\001\017\v\t\001\001\t\n\b\001\022\001\017\v\a\001\001\r\f\f\b\b\v\v\a\001\022\001\v\t\t\001\001\b\n\v\n\v\f\r\b\022\022\001\t\b\a\001\022\001\b\n\n\v\n\b\001\022" centeryback = 212.5 xiscale = 0.40000000000000002 x2_i = 75 xiscale_i = 26214 unmaskedSpan = {{TopOffset = 49216, Length = 65535}, {TopOffset = 32767, Length = 0}} spanptr = 0x7fffffffbf90 spans = 0x6110000a5d3c bottomclipper = {500 <repeats 800 times>, 0 <repeats 4960 times>} topclipper = {499 <repeats 800 times>, 0 <repeats 4960 times>} translation = 0x60800003b4a0 "" mode = DoDraw1 destorgsave = 0x7fffe17f7800 "\002\002\002\002\001\001\006\002\002\001\001\002\a\a\006\006\001\005\005o\005\005\006\006\002\006\001\001\002\002\002\002\002\002\002\002" x0 = 40 y0 = 432.03125 __PRETTY_FUNCTION__ = "virtual void DCanvas::DrawTextureParms(FTexture*, DrawParms&)" #3 0x0000000000c6eee3 in DCanvas::DrawTexture (this=0x61d000186080, img=0x60b0000a1890, x=40, y=432.03125, tags_first=1073746863) at /home/edward-san/zdoom/trunk/src/v_draw.cpp:129 tags = <error reading variable tags (Attempt to dereference a generic pointer.)> parms = {x = 40, y = 432.03125, texwidth = 14, texheight = 16, destwidth = 35, destheight = 37.5, virtWidth = 800, virtHeight = 500, windowleft = 0, windowright = 2147483647, cleanmode = 1073746824, dclip = 500, uclip = 0, lclip = 0, rclip = 800, top = 0, left = 0, Alpha = 1, fillcolor = 4294967295, remap = 0x61700003f8e0, colorOverlay = 0, alphaChannel = 0, flipX = 0, shadowAlpha = 0, shadowColor = 0, keepratio = 0, masked = 1, bilinear = 0, style = {{BlendOp = 1 '\001', SrcAlpha = 2 '\002', DestAlpha = 3 '\003', Flags = 2 '\002'}, AsDWORD = 33751553}, specialcolormap = 0x0, colormapstyle = 0x0, scalex = 1, scaley = 1, cellx = 0, celly = 0, maxstrlen = 2147483647, fortext = false, virtBottom = false} res = true #4 0x0000000000e40347 in DSBarInfo::DrawString (this=0x611000215880, font=0x6130000bb440, cstring=0x60d0000ff0ac "50", x=..., y=..., xOffset=0, yOffset=0, Alpha=1, fullScreenOffsets=false, translation=CR_UNTRANSLATED, spacing=0, drawshadow=false, shadowX=2, shadowY=2) at /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:1501 character = 0x60b0000a1890 rx = 40 rh = 37.5 width = 14 ry = 432.03125 rw = 35 ax = 16 ay = 171 xScale = 1 yScale = 1 str = 0x60d0000ff0ac "50" boldTranslation = CR_YELLOW remap = 0x61700003f8e0 #5 0x0000000000e4604f in CommandDrawString::Draw (this=0x60e00002e480, block=0x608000036420, statusBar=0x611000215880) at /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo_commands.cpp:695 No locals. #6 0x0000000000e38d59 in SBarInfoCommandFlowControl::Draw (this=0x608000036420, block=0x608000036420, statusBar=0x611000215880) at /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:214 command = 0x60e00002e480 __for_range = @0x608000036440: {<TArray<SBarInfoCommand*, SBarInfoCommand*>> = {Array = 0x610000027840, Most = 24, Count = 21}, <No data fields>} __for_begin = {m_ptr = 0x610000027858} __for_end = {m_ptr = 0x6100000278e8} #7 0x0000000000e3999e in SBarInfoMainBlock::Draw (this=0x608000036420, block=0x0, statusBar=0x611000215880, xOffset=0, yOffset=0, alpha=1) at /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:332 No locals. #8 0x0000000000e3b66b in DSBarInfo::Draw (this=0x611000215880, state=HUD_StatusBar) at /home/edward-san/zdoom/trunk/src/g_shared/sbarinfo.cpp:1089 hud = 2 oldhud_scale = false #9 0x00000000008515e6 in D_Display () at /home/edward-san/zdoom/trunk/src/d_main.cpp:815 nowtime = 3518 wipe = false hw2d = false cycles = {Sec = -783604.13746771996}