Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Array overflow in LineBuilder::strip_add_tri #29408

Closed
qarmin opened this issue Jun 2, 2019 · 2 comments
Closed

Array overflow in LineBuilder::strip_add_tri #29408

qarmin opened this issue Jun 2, 2019 · 2 comments
Labels
bug topic:rendering
Milestone
3.2

Comments

@qarmin
Copy link
Contributor

qarmin commented Jun 2, 2019
edited
Loading

Godot version:
3.2.dev.custom_build. a69436a

OS/device including version:
Ubuntu 19.04

Issue description:
Log

Invalid read of size 8
   at 0x1856C3C: CowData<Color>::set(int, Color const&) (cowdata.h:139)
   by 0x1855C0D: Vector<Color>::set(int, Color const&) (vector.h:82)
   by 0x1854BAC: Vector<Color>::push_back(Color const&) (vector.h:154)
   by 0x2DBD260: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:487)
   by 0x2DBD56C: LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) (line_builder.cpp:526)
   by 0x2DBC6BC: LineBuilder::build() (line_builder.cpp:356)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)
   by 0x1426CF2: MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) (method_bind.gen.inc:59)
 Address 0x14321008 is 136 bytes inside a block of size 144 free'd
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x1855394: CowData<Color>::resize(int) (cowdata.h:282)
   by 0x1853D23: Vector<Color>::resize(int) (vector.h:84)
   by 0x1854B45: Vector<Color>::push_back(Color const&) (vector.h:152)
   by 0x2DBD260: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:487)
   by 0x2DBD56C: LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) (line_builder.cpp:526)
   by 0x2DBC6BC: LineBuilder::build() (line_builder.cpp:356)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
 Block was alloc'd at
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x1855394: CowData<Color>::resize(int) (cowdata.h:282)
   by 0x1853D23: Vector<Color>::resize(int) (vector.h:84)
   by 0x1854B45: Vector<Color>::push_back(Color const&) (vector.h:152)
   by 0x2DBD079: LineBuilder::strip_add_quad(Vector2, Vector2, Color, float) (line_builder.cpp:462)
   by 0x2DBC3DE: LineBuilder::build() (line_builder.cpp:304)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)

Invalid read of size 8
   at 0x1856C40: CowData<Color>::set(int, Color const&) (cowdata.h:139)
   by 0x1855C0D: Vector<Color>::set(int, Color const&) (vector.h:82)
   by 0x1854BAC: Vector<Color>::push_back(Color const&) (vector.h:154)
   by 0x2DBD260: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:487)
   by 0x2DBD56C: LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) (line_builder.cpp:526)
   by 0x2DBC6BC: LineBuilder::build() (line_builder.cpp:356)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)
   by 0x1426CF2: MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) (method_bind.gen.inc:59)
 Address 0x14321000 is 128 bytes inside a block of size 144 free'd
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x1855394: CowData<Color>::resize(int) (cowdata.h:282)
   by 0x1853D23: Vector<Color>::resize(int) (vector.h:84)
   by 0x1854B45: Vector<Color>::push_back(Color const&) (vector.h:152)
   by 0x2DBD260: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:487)
   by 0x2DBD56C: LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) (line_builder.cpp:526)
   by 0x2DBC6BC: LineBuilder::build() (line_builder.cpp:356)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
 Block was alloc'd at
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x1855394: CowData<Color>::resize(int) (cowdata.h:282)
   by 0x1853D23: Vector<Color>::resize(int) (vector.h:84)
   by 0x1854B45: Vector<Color>::push_back(Color const&) (vector.h:152)
   by 0x2DBD079: LineBuilder::strip_add_quad(Vector2, Vector2, Color, float) (line_builder.cpp:462)
   by 0x2DBC3DE: LineBuilder::build() (line_builder.cpp:304)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)

Invalid read of size 8
   at 0x13E819D: CowData<Vector2>::set(int, Vector2 const&) (cowdata.h:139)
   by 0x13E7A71: Vector<Vector2>::set(int, Vector2 const&) (vector.h:82)
   by 0x13E6482: Vector<Vector2>::push_back(Vector2 const&) (vector.h:154)
   by 0x2DBD2B7: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:495)
   by 0x2DBC626: LineBuilder::build() (line_builder.cpp:352)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)
   by 0x1426CF2: MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) (method_bind.gen.inc:59)
   by 0x3677584: Object::call(StringName const&, Variant const**, int, Variant::CallError&) (object.cpp:940)
 Address 0x1463a770 is 32 bytes inside a block of size 48 free'd
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x13E7142: CowData<Vector2>::resize(int) (cowdata.h:282)
   by 0x13E5D8F: Vector<Vector2>::resize(int) (vector.h:84)
   by 0x13E641B: Vector<Vector2>::push_back(Vector2 const&) (vector.h:152)
   by 0x2DBD2B7: LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) (line_builder.cpp:495)
   by 0x2DBC626: LineBuilder::build() (line_builder.cpp:352)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)
 Block was alloc'd at
   at 0x5831D4B: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x37B1F62: Memory::realloc_static(void*, unsigned long, bool) (memory.cpp:140)
   by 0x13E7142: CowData<Vector2>::resize(int) (cowdata.h:282)
   by 0x13E5D8F: Vector<Vector2>::resize(int) (vector.h:84)
   by 0x13E641B: Vector<Vector2>::push_back(Vector2 const&) (vector.h:152)
   by 0x2DBD0E0: LineBuilder::strip_add_quad(Vector2, Vector2, Color, float) (line_builder.cpp:467)
   by 0x2DBC3DE: LineBuilder::build() (line_builder.cpp:304)
   by 0x2DB1B6E: Line2D::_draw() (line_2d.cpp:278)
   by 0x2DB17E4: Line2D::_notification(int) (line_2d.cpp:215)
   by 0x2DB56A9: Line2D::_notificationv(int, bool) (line_2d.h:38)
   by 0x36776FD: Object::notification(int, bool) (object.cpp:950)
   by 0x2D47D7F: CanvasItem::_update_callback() (canvas_item.cpp:454)

Minimal reproduction project:
https://github.com/qarmin/The-worst-Godot-test-project/
commit 5fb1ed244250b54a9d5f0b3a8399b1930459b3d7

Bug.zip
@Zylann
Copy link
Contributor

Zylann commented Jun 3, 2019
edited
Loading

It looks like strip_add_tri was called at a time where there was no previous vertices, which is a wrong use of the function as well (i.e maybe strip_begin() was never called). However, that would be an underflow. If it really is an overflow, the problem could be totally different.

@qarmin qarmin mentioned this issue Aug 23, 2019
Closed
@lawnjelly lawnjelly mentioned this issue Aug 28, 2019
Closed
@RandomShaper RandomShaper mentioned this issue Dec 11, 2019
Closed
@akien-mga akien-mga added this to the 3.2 milestone Jan 2, 2020
@akien-mga
Copy link
Member

Fixed by #34618.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug topic:rendering
Projects
None yet
Milestone
3.2
Development

No branches or pull requests
4 participants
@Zylann @KoBeWi @akien-mga @qarmin