diff options
| author | Vito Caputo <vcaputo@pengaru.com> | 2022-06-09 07:38:39 -0700 | 
|---|---|---|
| committer | Vito Caputo <vcaputo@pengaru.com> | 2022-06-10 20:59:03 -0700 | 
| commit | 923aa25cfac8bfcb9e2a8f56398fa8fa7a6c8cc7 (patch) | |
| tree | 5dfc70e6faf2896ad460d494b4e859ba0f32f91a /m4 | |
| parent | d944160f1d6a25710b298442972a8562ffc62942 (diff) | |
modules/pixbounce: use til_fb_put_pixel_checked()
While testing a checkers change that fills cells using other
modules, ASAN kept tripping on pixbounce:
==147817==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc78a31c10c at pc 0x55b30cd406e2 bp 0x7fc790afd0d0 sp 0x7fc790afd0c8
WRITE of size 4 at 0x7fc78a31c10c thread T2
    #0 0x55b30cd406e1 in til_fb_fragment_put_pixel_unchecked pixbounce.c
    #1 0x55b30cd3f8ae in pixbounce_render_fragment pixbounce.c
    #2 0x55b30cd1dffb in module_render_fragment til.c
    #3 0x55b30cd1d989 in til_module_render (/home/foo/src/rototiller/build/src/rototiller+0x134989)
    #4 0x55b30cd22534 in checkers_render_fragment checkers.c
    #5 0x55b30cd14681 in thread_func til_threads.c
    #6 0x7fc792b3d5c1 in start_thread pthread_create.c
    #7 0x7fc792bc2583 in __clone (/usr/lib/libc.so.6+0x112583)
0x7fc78a31c10c is located 2276 bytes to the right of 1228840-byte region [0x7fc78a1ef800,0x7fc78a31b828)
allocated by thread T0 here:
    #0 0x55b30cccf219 in __interceptor_malloc (/home/foo/src/rototiller/build/src/rototiller+0xe6219)
    #1 0x7fc792d0e528  (/usr/lib/libSDL2-2.0.so.0+0x39528)
Thread T2 created by T0 here:
    #0 0x55b30cc3cfa8 in pthread_create (/home/foo/src/rototiller/build/src/rototiller+0x53fa8)
    #1 0x55b30cd13fff in til_threads_create (/home/foo/src/rototiller/build/src/rototiller+0x12afff)
    #2 0x55b30cd1d573 in til_init (/home/foo/src/rototiller/build/src/rototiller+0x134573)
    #3 0x55b30cd08f6c in main (/home/foo/src/rototiller/build/src/rototiller+0x11ff6c)
    #4 0x7fc792add30f in __libc_start_call_main libc-start.c
SUMMARY: AddressSanitizer: heap-buffer-overflow pixbounce.c in til_fb_fragment_put_pixel_unchecked
Shadow bytes around the buggy address:
  0x0ff97145b7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff97145b820: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff97145b870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==147817==ABORTING
---
Rather than spend time digging into pixbounce's arithmetic, just
using the checked variant for now.
Diffstat (limited to 'm4')
0 files changed, 0 insertions, 0 deletions
