Spoiler:I got the values of the args of the crashing function:Code: Select all
================================================================= ==8686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290018d24b0 at pc 0x00010042aa83 bp 0x700004e201b0 sp 0x700004e201a8 READ of size 4 at 0x6290018d24b0 thread T8 #0 0x10042aa82 in swrenderer::DrawSpan32T<swrenderer::DrawSpan32TModes::OpaqueSpan>::Execute(DrawerThread*) r_draw_span32_sse2.h:307 #1 0x1001fe592 in DrawerThreads::WorkerMain(DrawerThread*) r_thread.cpp:166 #2 0x1004d93b6 in DrawerThreads::StartThreads()::$_3::operator()() const r_thread.cpp:216 #3 0x1004d8ebb in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, DrawerThreads::StartThreads()::$_3> >(void*) type_traits:4428 #4 0x7fff6883e304 in _pthread_body (libsystem_pthread.dylib:x86_64+0x3304) #5 0x7fff6884126e in _pthread_start (libsystem_pthread.dylib:x86_64+0x626e) #6 0x7fff6883d414 in thread_start (libsystem_pthread.dylib:x86_64+0x2414) 0x6290018d24b0 is located 688 bytes to the right of 16384-byte region [0x6290018ce200,0x6290018d2200) allocated by thread T0 here: #0 0x1055762d7 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x572d7) #1 0x10280818e in M_Realloc_Dbg(void*, unsigned long, char const*, int) m_alloc.cpp:152 #2 0x10033df07 in TArray<unsigned int, unsigned int>::DoResize() tarray.h:533 #3 0x10033dcc9 in TArray<unsigned int, unsigned int>::Grow(unsigned int) tarray.h:425 #4 0x10030390b in TArray<unsigned int, unsigned int>::Resize(unsigned int) tarray.h:434 #5 0x1027623d5 in FWarpTexture::GetPixelsBgra() warptexture.cpp:63 #6 0x10275cc2d in FSoftwareTexture::GetColumnBgra(unsigned int, FSoftwareTextureSpan const**) r_swtexture.cpp:224 #7 0x10018eb9b in FSoftwareRenderer::PrecacheTexture(FTexture*, int) r_swrenderer.cpp:115 #8 0x10018fe40 in FSoftwareRenderer::Precache(unsigned char*, TMap<PClassActor*, bool, THashTraits<PClassActor*>, TValueTraits<bool> >&) r_swrenderer.cpp:181 #9 0x10180b661 in PrecacheLevel(FLevelLocals*) p_setup.cpp:201 #10 0x101808eac in P_SetupLevel(FLevelLocals*, int, bool) p_setup.cpp:517 #11 0x1014b2d55 in FLevelLocals::DoLoadLevel(FString const&, int, bool, bool) g_level.cpp:1112 #12 0x1014aab87 in G_DoLoadLevel(FString const&, int, bool, bool) g_level.cpp:1000 #13 0x1014aa436 in G_InitNew(char const*, bool) g_level.cpp:545 #14 0x101416d55 in D_DoAdvanceDemo() d_main.cpp:1260 #15 0x10143b615 in TryRunTics() d_net.cpp:1947 #16 0x1014168c8 in D_DoomLoop() d_main.cpp:1034 #17 0x10141e6f3 in D_DoomMain() d_main.cpp:2713 - omissis - Thread T8 created by T0 here: #0 0x10556dead in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4eead) #1 0x1004d8121 in std::__1::thread::thread<DrawerThreads::StartThreads()::$_3, void>(DrawerThreads::StartThreads()::$_3&&) __threading_support:336 #2 0x1001ffd0c in std::__1::thread::thread<DrawerThreads::StartThreads()::$_3, void>(DrawerThreads::StartThreads()::$_3&&) thread:360 #3 0x1001f6c36 in DrawerThreads::StartThreads() r_thread.cpp:216 #4 0x1001f542f in DrawerThreads::Execute(std::__1::shared_ptr<DrawerCommandQueue>) r_thread.cpp:69 #5 0x1002c605b in swrenderer::RenderScene::RenderThreadSlice(swrenderer::RenderThread*) r_scene.cpp:310 #6 0x1002bd3ea in swrenderer::RenderScene::RenderThreadSlices() r_scene.cpp:236 #7 0x1002bab70 in swrenderer::RenderScene::RenderActorView(AActor*, bool) r_scene.cpp:176 #8 0x100191c69 in swrenderer::RenderScene::RenderView(player_t*, DCanvas*, void*) r_scene.cpp:132 #9 0x100190aeb in FSoftwareRenderer::RenderView(player_t*, DCanvas*, void*) r_swrenderer.cpp:200 #10 0x100517bbf in SWSceneDrawer::RenderView(player_t*) r_swscene.cpp:111 #11 0x101bd7349 in OpenGLRenderer::FGLRenderer::RenderView(player_t*) gl_renderer.cpp:230 #12 0x101c49c0d in OpenGLRenderer::OpenGLFrameBuffer::RenderView(player_t*) gl_framebuffer.cpp:207 #13 0x1014299cf in D_Display()::$_0::operator()() const d_main.cpp:786 #14 0x10142987c in void std::__1::__invoke_void_return_wrapper<void>::__call<D_Display()::$_0&>(D_Display()::$_0&&&) type_traits:4428 #15 0x101429718 in std::__1::__function::__func<D_Display()::$_0, std::__1::allocator<D_Display()::$_0>, void ()>::operator()() functional:1562 #16 0x10002a691 in std::__1::function<void ()>::operator()() const functional:1913 #17 0x10141082b in D_Render(std::__1::function<void ()>, bool) d_main.cpp:377 #18 0x1014132c6 in D_Display() d_main.cpp:784 #19 0x1014168e1 in D_DoomLoop() d_main.cpp:1038 #20 0x10141e6f3 in D_DoomMain() d_main.cpp:2713 - omissis - SUMMARY: AddressSanitizer: heap-buffer-overflow r_draw_span32_sse2.h:307 in swrenderer::DrawSpan32T<swrenderer::DrawSpan32TModes::OpaqueSpan>::Execute(DrawerThread*) Shadow bytes around the buggy address: 0x1c520031a440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x1c520031a490: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x1c520031a4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c520031a4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Code: Select all
(uint32_t) width = 32
(uint32_t) height = 32
(uint32_t) xone = 134217728
(uint32_t) yone = 134217728
(uint32_t) xstep = 39396284
(uint32_t) ystep = 0
(uint32_t) xfrac = 786861999
(uint32_t) yfrac = 1632337501
(const uint32_t *) source = 0x00006290018d2200