ZDoom

[Talon1024]

When A_RemoveLight is called, it causes a heap-use-after-free error according to AddressSanitizer.

Here's a small example. To reproduce the issue, load the example with an AddressSanitizer-enabled GZDoom build, enter "summon LampWeapon" into the console, pick it up, select it (slot 1), turn it on (primary fire), and turn it back off (primary fire)

Code: Select all • Expand view

=================================================================
==9441==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800048c5b0 at pc 0x55b701141784 bp 0x7ffefcfefa70 sp 0x7ffefcfefa60
READ of size 4 at 0x60800048c5b0 thread T0
    #0 0x55b701141783 in FDynamicLight::GetIntensity() const ../src/playsim/a_dynlight.h:218
    #1 0x55b701138061 in FDynamicLight::Tick() ../src/playsim/a_dynlight.cpp:353
    #2 0x55b70117143f in FThinkerCollection::RunThinkers(FLevelLocals*) ../src/playsim/dthinker.cpp:130
    #3 0x55b700ff605f in P_Ticker() ../src/p_tick.cpp:171
    #4 0x55b700d5ac1e in G_Ticker() ../src/g_game.cpp:1288
    #5 0x55b700d32a6e in TryRunTics() ../src/d_net.cpp:1987
    #6 0x55b700d0e7e4 in D_DoomLoop() ../src/d_main.cpp:1290
    #7 0x55b700d1c915 in D_DoomMain_Internal ../src/d_main.cpp:3653
    #8 0x55b700d1d175 in GameMain() ../src/d_main.cpp:3683
    #9 0x55b7005bbd3b in main ../src/common/platform/posix/sdl/i_main.cpp:194
    #10 0x7fb40eefb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x55b7005ad9cd in _start (/home/kevinc/Games/doom/gzdoom-master-20210531/gzdooma+0x9009cd)

0x60800048c5b0 is located 16 bytes inside of 96-byte region [0x60800048c5a0,0x60800048c600)
freed by thread T0 here:
    #0 0x7fb40fb83025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
    #1 0x55b70113f09a in RemoveLight(AActor*, int) ../src/playsim/a_dynlight.cpp:931
    #2 0x7fb3f7a91304  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7fb40fb81947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55b70113cfdb in FindUserLight(AActor*, FName, bool) ../src/playsim/a_dynlight.cpp:827
    #2 0x55b70113d285 in AttachLightDef(AActor*, int, int) ../src/playsim/a_dynlight.cpp:850
    #3 0x7fb3f7a9121f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/playsim/a_dynlight.h:218 in FDynamicLight::GetIntensity() const
Shadow bytes around the buggy address:
  0x0c1080089860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080089870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080089880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080089890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c10800898a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c10800898b0: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c10800898c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c10800898d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c10800898e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c10800898f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080089900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9441==ABORTING


[Graf Zahl]

Should be fixed now.