Port str_comp_filenames from ddnet to fix buffer overflow #3219
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a bug caught by clang tooling.
Running for example ``str_comp_filenames("historic_maps/cb_cp/ChillBlock5", "historic_maps/cb_cp/ChillBlock5");``
causes the following error:
```
=================================================================
==108107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe71e6aa00 at pc 0x55be3668c69c bp 0x7ffe71e6a780 sp 0x7ffe71e6a778
READ of size 1 at 0x7ffe71e6aa00 thread T0
#0 0x55be3668c69b in str_comp_filenames /home/chiller/Desktop/git/teeworlds/src/base/system.c:2369:14
#1 0x55be363a0f2f in CServer::CMapListEntry::operator<(CServer::CMapListEntry const&) const /home/chiller/Desktop/git/teeworlds/src/engine/server/server.h:184:61
teeworlds#2 0x55be3639f4e7 in plain_range_sorted<CServer::CMapListEntry> partition_binary<plain_range_sorted<CServer::CMapListEntry>, CServer::CMapListEntry>(plain_range_sorted<CServer::CMapListEntry>, CServer::CMapListEntry) /home/chiller/Desktop/git/teeworlds/src/base/tl/algorithm.h:51:25
teeworlds#3 0x55be3639a9f1 in sorted_array<CServer::CMapListEntry, allocator_default<CServer::CMapListEntry> >::add(CServer::CMapListEntry const&) /home/chiller/Desktop/git/teeworlds/src/base/tl/sorted_array.h:23:31
teeworlds#4 0x55be3637d7d1 in CServer::MapListEntryCallback(char const*, int, int, void*) /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1504:17
teeworlds#5 0x55be36682aba in fs_listdir /home/chiller/Desktop/git/teeworlds/src/base/system.c:1583:6
teeworlds#6 0x55be36649f3f in CStorage::ListDirectory(int, char const*, int (*)(char const*, int, int, void*), void*) /home/chiller/Desktop/git/teeworlds/src/engine/shared/storage.cpp:299:5
teeworlds#7 0x55be3637d15a in CServer::MapListEntryCallback(char const*, int, int, void*) /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1492:22
teeworlds#8 0x55be36682aba in fs_listdir /home/chiller/Desktop/git/teeworlds/src/base/system.c:1583:6
teeworlds#9 0x55be36649f3f in CStorage::ListDirectory(int, char const*, int (*)(char const*, int, int, void*), void*) /home/chiller/Desktop/git/teeworlds/src/engine/shared/storage.cpp:299:5
teeworlds#10 0x55be3637d15a in CServer::MapListEntryCallback(char const*, int, int, void*) /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1492:22
teeworlds#11 0x55be36682aba in fs_listdir /home/chiller/Desktop/git/teeworlds/src/base/system.c:1583:6
teeworlds#12 0x55be36649f3f in CStorage::ListDirectory(int, char const*, int (*)(char const*, int, int, void*), void*) /home/chiller/Desktop/git/teeworlds/src/engine/shared/storage.cpp:299:5
teeworlds#13 0x55be3637c031 in CServer::InitMapList() /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1523:14
teeworlds#14 0x55be36373bb0 in CServer::Run() /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1281:2
teeworlds#15 0x55be3638e83b in main /home/chiller/Desktop/git/teeworlds/src/engine/server/server.cpp:1909:21
teeworlds#16 0x7fec6e2461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
teeworlds#17 0x7fec6e246284 in __libc_start_main csu/../csu/libc-start.c:360:3
teeworlds#18 0x55be36279aa0 in _start (/home/chiller/Desktop/git/teeworlds/build/teeworlds_srv+0x1dfaa0) (BuildId: 9b8cae111ee49e0bd87b22dbd9f66cf8ddfb1d52)
Address 0x7ffe71e6aa00 is located in stack of thread T0 at offset 64 in frame
#0 0x55be3639f0ff in plain_range_sorted<CServer::CMapListEntry> partition_binary<plain_range_sorted<CServer::CMapListEntry>, CServer::CMapListEntry>(plain_range_sorted<CServer::CMapListEntry>, CServer::CMapListEntry) /home/chiller/Desktop/git/teeworlds/src/base/tl/algorithm.h:36
This frame has 5 object(s):
[32, 64) 'value.byval' <== Memory access at offset 64 overflows this variable
[96, 112) 'retval'
[128, 144) 'range'
[160, 176) 'ref.tmp' (line 52)
[192, 208) 'ref.tmp20' (line 54)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/chiller/Desktop/git/teeworlds/src/base/system.c:2369:14 in str_comp_filenames
Shadow bytes around the buggy address:
0x10004e3c54f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5530: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x10004e3c5540:[f2]f2 f2 f2 00 00 f2 f2 00 00 f2 f2 f8 f8 f2 f2
0x10004e3c5550: f8 f8 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004e3c5580: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 f2 f2
0x10004e3c5590: 00 00 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==108107==ABORTING
```
ChillerDragon
force-pushed
the
pr_ddnet_str_comp_filenames
branch
from
4589c3d
to
3f5016d
Compare
github-merge-queue bot
pushed a commit
to teeworlds-community/teeworlds
that referenced
this pull request
Feb 23, 2024
Port str_comp_filenames from ddnet to fix buffer overflow teeworlds#3219
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a bug caught by clang tooling.
Running for example
str_comp_filenames("historic_maps/cb_cp/ChillBlock5", "historic_maps/cb_cp/ChillBlock5");causes the following error: