Here's a small example. To reproduce the issue, load the example with an AddressSanitizer-enabled GZDoom build, enter "summon LampWeapon" into the console, pick it up, select it (slot 1), turn it on (primary fire), and turn it back off (primary fire)
Code: Select all
=================================================================
==9441==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800048c5b0 at pc 0x55b701141784 bp 0x7ffefcfefa70 sp 0x7ffefcfefa60
READ of size 4 at 0x60800048c5b0 thread T0
#0 0x55b701141783 in FDynamicLight::GetIntensity() const ../src/playsim/a_dynlight.h:218
#1 0x55b701138061 in FDynamicLight::Tick() ../src/playsim/a_dynlight.cpp:353
#2 0x55b70117143f in FThinkerCollection::RunThinkers(FLevelLocals*) ../src/playsim/dthinker.cpp:130
#3 0x55b700ff605f in P_Ticker() ../src/p_tick.cpp:171
#4 0x55b700d5ac1e in G_Ticker() ../src/g_game.cpp:1288
#5 0x55b700d32a6e in TryRunTics() ../src/d_net.cpp:1987
#6 0x55b700d0e7e4 in D_DoomLoop() ../src/d_main.cpp:1290
#7 0x55b700d1c915 in D_DoomMain_Internal ../src/d_main.cpp:3653
#8 0x55b700d1d175 in GameMain() ../src/d_main.cpp:3683
#9 0x55b7005bbd3b in main ../src/common/platform/posix/sdl/i_main.cpp:194
#10 0x7fb40eefb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#11 0x55b7005ad9cd in _start (/home/kevinc/Games/doom/gzdoom-master-20210531/gzdooma+0x9009cd)
0x60800048c5b0 is located 16 bytes inside of 96-byte region [0x60800048c5a0,0x60800048c600)
freed by thread T0 here:
#0 0x7fb40fb83025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
#1 0x55b70113f09a in RemoveLight(AActor*, int) ../src/playsim/a_dynlight.cpp:931
#2 0x7fb3f7a91304 (<unknown module>)
previously allocated by thread T0 here:
#0 0x7fb40fb81947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x55b70113cfdb in FindUserLight(AActor*, FName, bool) ../src/playsim/a_dynlight.cpp:827
#2 0x55b70113d285 in AttachLightDef(AActor*, int, int) ../src/playsim/a_dynlight.cpp:850
#3 0x7fb3f7a9121f (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/playsim/a_dynlight.h:218 in FDynamicLight::GetIntensity() const
Shadow bytes around the buggy address:
0x0c1080089860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080089870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080089880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080089890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800898a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c10800898b0: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c10800898c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800898d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800898e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800898f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080089900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9441==ABORTING