Resolve crash on inventory pickup #647
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Commit d185ab9 broke the pointer-moving logic. When the allweapons cheat is executed or when e.g. the afterburner is picked up, ASAN terminates the program with: ``` ==8330==ERROR: AddressSanitizer: heap-use-after-free on address 0x50f00007ab60 at pc 0x7f23334f6843 bp 0x7ffe724d2b10 sp 0x7ffe724d22d0 READ of size 3 at 0x50f00007ab60 thread T0 f0 strdup f1 Inventory::AddCounterMeasure(int, int, int, int, char const*) Descent3/Inventory.cpp:575 f2 Inventory::Add(int, int, object*, int, int, int, char const*) Descent3/Inventory.cpp:520 f3 DemoCheats(int) Descent3/GameCheat.cpp:606 f4 ProcessKeys() Descent3/GameLoop.cpp:2420 f5 GameFrame() Descent3/GameLoop.cpp:2956 f6 GameSequencer() Descent3/gamesequence.cpp:1212 f7 PlayGame() Descent3/game.cpp:826 f8 MainLoop() Descent3/descent.cpp:554 f9 Descent3() Descent3/descent.cpp:507 f10 oeD3LnxApp::run() Descent3/sdlmain.cpp:142 f11 main Descent3/sdlmain.cpp:323 0x50f00007ab60 is located 0 bytes inside of 175-byte region [0x50f00007ab60,0x50f00007ac0f) freed by thread T0 here: f1 mng_LoadNetGenericPage(CFILE*, bool) manage/generic.cpp:2216 f2 mng_LoadNetPages(int) manage/manage.cpp:1281 f3 mng_LoadTableFiles(int) manage/manage.cpp:648 f4 InitD3Systems2(bool) Descent3/init.cpp:1891 f5 Descent3() Descent3/descent.cpp:503 f6 oeD3LnxApp::run() Descent3/sdlmain.cpp:142 f7 main Descent3/sdlmain.cpp:323 previously allocated by thread T0 here: f0 malloc f1 mem_rmalloc<char> mem/mem.h:138 f2 mng_ReadNewGenericPage(CFILE*, mngs_generic_page*) manage/generic.cpp:1145 f3 mng_LoadNetGenericPage(CFILE*, bool) manage/generic.cpp:2196 f4 mng_LoadNetPages(int) manage/manage.cpp:1281 f5 mng_LoadTableFiles(int) manage/manage.cpp:648 f6 InitD3Systems2(bool) Descent3/init.cpp:1891 f7 Descent3() Descent3/descent.cpp:503 f8 oeD3LnxApp::run() Descent3/sdlmain.cpp:142 f9 main Descent3/sdlmain.cpp:323 ``` The pointer value of mngs_generic_page::description was copied to object_info::description (by function ``mng_AssignGenericPageToObjInfo``) and then the page was freed in ``mng_LoadNetGenericPage``, leaving object_info::description non-NULL and dangling. Fixes: d185ab9
Lgt2x
approved these changes
Nov 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit d185ab9 broke the pointer-moving logic. When the allweapons cheat is executed or when e.g. the afterburner is picked up, ASAN terminates the program with:
The pointer value of mngs_generic_page::description was copied to object_info::description (by function
mng_AssignGenericPageToObjInfo) and then the page was freed inmng_LoadNetGenericPage, leaving object_info::description non-NULL and dangling.Fixes: d185ab9
Pull Request Type
Checklist