Viewing Issue Advanced Details
Jump to Notes ]
sega/model3.cpp
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05822 Misc. Critical (emulator) Always Jan 3, 2015, 12:18 Nov 5, 2022, 09:16
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Fixed OS Linux
Status [?] Resolved Driver
sega/model3.cpp
Version 0.157 Fixed in Version Build Debug
Fixed in Git Commit Github Pull Request #
Summary 05822: ecap: AddressSanitizer: heap-buffer-overflow
Description 
==16297==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7efef710d7fe at pc 0x0000073745e9 bp 0x7fff2a8dbf30 sp 0x7fff2a8dbf28
READ of size 2 at 0x7efef710d7fe thread T0
    #0 0x73745e8 in SCSPDSP_Step(SCSPDSP*) /home/notroot/trunk/src/emu/sound/scspdsp.c:301:6
    #1 0x736b9f8 in scsp_device::DoMasterSamples(int) /home/notroot/trunk/src/emu/sound/scsp.c:1266:3
    #2 0x736bcf2 in scsp_device::sound_stream_update(sound_stream&, int**, int**, int) /home/notroot/trunk/src/emu/sound/scsp.c:222:2
    #3 0x736bcf2 in non-virtual thunk to scsp_device::sound_stream_update(sound_stream&, int**, int**, int) /home/notroot/trunk/src/emu/sound/scsp.c:223
    #4 0x82146c0 in delegate_base<void, sound_stream&, int**, int**, int, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(sound_stream&, int**, int**, int) const /home/notroot/trunk/src/lib/util/delegate.h:653:88
    #5 0x82146c0 in sound_stream::generate_samples(int) /home/notroot/trunk/src/emu/sound.c:622
    #6 0x82140a6 in sound_stream::update() /home/notroot/trunk/src/emu/sound.c:287:2
    #7 0x82143be in sound_stream::generate_samples(int) /home/notroot/trunk/src/emu/sound.c:607:4
    #8 0x82140a6 in sound_stream::update() /home/notroot/trunk/src/emu/sound.c:287:2
    #9 0x82147c7 in sound_stream::output_since_last_update(int, int&) /home/notroot/trunk/src/emu/sound.c:313:2
    #10 0x821cf90 in speaker_device::mix(int*, int*, int&, bool) /home/notroot/trunk/src/emu/speaker.c:102:38
    #11 0x8218b93 in sound_manager::update(void*, int) /home/notroot/trunk/src/emu/sound.c:1025:3
    #12 0x81f7f70 in delegate_base<void, void*, int, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(void*, int) const /home/notroot/trunk/src/lib/util/delegate.h:651:64
    #13 0x81f7f70 in device_scheduler::execute_timers() /home/notroot/trunk/src/emu/schedule.c:907
    #14 0x81f3a2b in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:517:2
    #15 0x8112c98 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:391:5
    #16 0x810b03a in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:216:11
    #17 0x7f3df3e in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:244:15
    #18 0x576f669 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:345:9
    #19 0x7efefc741ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #20 0x11479ac in _start (/home/notroot/trunk/mame64d+0x11479ac)

0x7efef710d7fe is located 2 bytes to the left of 131072-byte region [0x7efef710d800,0x7efef712d800)
allocated by thread T0 here:
    #0 0x112a33b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x89746a8 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/sdl/sdlos_unix.c:108:9
    #2 0x84d703a in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25
    #3 0x814f2e3 in operator new[](unsigned long, char const*, int) /home/notroot/trunk/src/lib/util/corealloc.h:72:125
    #4 0x814f2e3 in dynamic_array<unsigned char>::expand_internal(int) /home/notroot/trunk/src/lib/util/coretmpl.h:115
    #5 0x814f2e3 in dynamic_array<unsigned char>::dynamic_array(int, int) /home/notroot/trunk/src/lib/util/coretmpl.h:77
    #6 0x814f2e3 in memory_region::memory_region(running_machine&, char const*, unsigned int, unsigned char, endianness_t) /home/notroot/trunk/src/emu/memory.c:4137
    #7 0x81288bb in memory_manager::region_alloc(char const*, unsigned int, unsigned char, endianness_t) /home/notroot/trunk/src/emu/memory.c:1610:10
    #8 0x81e6b8f in process_region_list(romload_private*) /home/notroot/trunk/src/emu/romload.c:1426:23
    #9 0x81e6b8f in rom_init(running_machine&) /home/notroot/trunk/src/emu/romload.c:1503
    #10 0x810f17d in running_machine::start() /home/notroot/trunk/src/emu/machine.c:249:2
    #11 0x81129cc in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:345:3
    #12 0x810b03a in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:216:11
    #13 0x7f3df3e in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:244:15
    #14 0x576f669 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:345:9
    #15 0x7efefc741ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/emu/sound/scspdsp.c:301 SCSPDSP_Step(SCSPDSP*)
Shadow bytes around the buggy address:
  0x0fe05ee19aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe05ee19ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe05ee19ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe05ee19ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe05ee19ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe05ee19af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0fe05ee19b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe05ee19b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe05ee19b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe05ee19b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe05ee19b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems ecap
Attached Files
  
Relationships
There are no relationship linked to this issue.
Notes
1
User avatar
No.20738
Firewave
Senior Tester
Nov 5, 2022, 09:16
 This set is marked MNW.

No ASAN error reported with 0.249 on Linux.