- --
Viewing Issue Advanced Details
| ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 05665 | Misc. | Critical (emulator) | Always | Aug 11, 2014, 14:14 | Nov 5, 2022, 09:17 |
| Tester | Firewave | View Status | Public | Platform | MAME (Self-compiled) |
| Assigned To | Resolution | Fixed | OS | Linux | |
| Status [?] | Resolved | Driver | |||
| Version | 0.154 | Fixed in Version | Build | Debug | |
| Fixed in Git Commit | Github Pull Request # | ||||
| Summary | 05665: m4blsbys__ad, and others: AddressSanitizer: heap-use-after-free | ||||
| Description |
==30092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000f0e71b0 at pc 0x00000175021c bp 0x7fff29748610 sp 0x7fff29748608
READ of size 1 at 0x00000f0e71b0 thread T0
#0 0x175021b in mpu4_state::characteriser_w(address_space&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/mame/drivers/mpu4hw.c:1908:11
#1 0x8180689 in delegate_base<void, address_space&, unsigned int, unsigned char, unsigned char, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/lib/util/delegate.h:653:88
#2 0x8180689 in handler_entry_write::write8(address_space&, unsigned int, unsigned char, unsigned char) const /home/notroot/trunk/src/emu/memory.c:420
#3 0x8180689 in address_space_specific<unsigned char, (endianness_t)1, false>::write_native(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1141
#4 0x817f888 in address_space_specific<unsigned char, (endianness_t)1, false>::write_byte(unsigned int, unsigned char) /home/notroot/trunk/src/emu/memory.c:1426:70
#5 0x660c537 in m6809_base_device::write_memory(unsigned short, unsigned char) /home/notroot/trunk/src/emu/cpu/m6809/m6809.h:155:76
#6 0x660c537 in m6809_base_device::write_operand(unsigned char) /home/notroot/trunk/src/emu/cpu/m6809/m6809inl.h:103
#7 0x660c537 in m6809_base_device::execute_one() /home/notroot/trunk/obj/sdl64d/emu/cpu/m6809/m6809.inc:807
#8 0x660c537 in m6809_base_device::execute_run() /home/notroot/trunk/src/emu/cpu/m6809/m6809.c:536
#9 0x662826f in non-virtual thunk to m6809_base_device::execute_run() /home/notroot/trunk/src/emu/cpu/m6809/m6809.c:538:1
#10 0x81f345a in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15
#11 0x81f345a in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476
#12 0x8112c98 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:391:5
#13 0x810b03a in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:216:11
#14 0x7f3df3e in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:244:15
#15 0x576f669 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:345:9
#16 0x7f130d7b8ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#17 0x11479ac in _start (/home/notroot/trunk/mame64d+0x11479ac)
0x00000f0e71b0 is located 0 bytes to the right of global variable 'blsbys_data' defined in 'src/mame/drivers/mpu4hw.c:2264:23' (0xf0e71a0) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow /home/notroot/trunk/src/mame/drivers/mpu4hw.c:1908 mpu4_state::characteriser_w(address_space&, unsigned int, unsigned char, unsigned char)
Shadow bytes around the buggy address:
0x000081e14de0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000081e14df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
0x000081e14e00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000081e14e10: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000081e14e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
=>0x000081e14e30: f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00
0x000081e14e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081e14e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081e14e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081e14e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081e14e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
Other sets are also affected. |
||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Github Commit | |||||
| Flags | |||||
| Regression Version | |||||
| Affected Sets / Systems | m4blsbys__ad, and others | ||||
|
Attached Files
|
|||||
Relationships
| There are no relationship linked to this issue. |
Notes
3
 No.11343
Firewave Senior Tester
Jan 3, 2015, 12:08
|
Changed the description to contain a proper stack trace. |
|---|---|
|
No.11344
Firewave Senior Tester
Jan 3, 2015, 12:14
|
The problem is, that it checks "m_current_chr_table" up to index 63, but in this case it uses "blsbys_data", which has only a size of 8. |
|
No.20739
Firewave Senior Tester
Nov 5, 2022, 09:17
|
This set is marked MNW. No ASAN error reported with 0.249 on Linux. |