Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
06835 Misc. Critical (emulator) Always Jan 8, 2018, 09:49 Nov 5, 2022, 09:01
Tester Firewave View Status Public Platform
Assigned To Resolution Open OS
Status [?] Acknowledged Driver
Version 0.193 Fixed in Version Build
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 06835: megadriv, megadrij: AddressSanitizer: heap-buffer-overflow with -cart starodys
Description
==112120==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900072c200 at pc 0x000009e3e96a bp 0x7ffc1ac48190 sp 0x7ffc1ac48188
WRITE of size 2 at 0x62900072c200 thread T0
    #0 0x9e3e969 in write /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1500:28
    #1 0x9e3e969 in non-virtual thunk to md_rom_starodys_device::write(address_space&, unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp
    #2 0x9e26b43 in base_md_cart_slot_device::write(address_space&, unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/md_slot.cpp:965:11
    #3 0xe2c0a3d in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
    #4 0xe2c0a3d in write16 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:469
    #5 0xe2c0a3d in write_native /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1172
    #6 0xe2c0a3d in write_direct<unsigned short, true> /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1337
    #7 0xe2c0a3d in address_space_specific<unsigned short, (endianness_t)1, 0, true>::write_word(unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1479
    #8 0xb13d51d in m68000_base_device::m68000_write_byte(unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1249:11
    #9 0xb2f92e9 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
    #10 0xb2f92e9 in m68ki_write_8_fc /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:681
    #11 0xb2f92e9 in m68ki_write_8 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:428
    #12 0xb2f92e9 in m68000_base_device::m68k_op_move_8_ai_d() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kops.cpp:16153
    #13 0xb1332d1 in m68000_base_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:806:5
    #14 0xb13582f in non-virtual thunk to m68000_base_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp
    #15 0xe78e272 in run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:188:15
    #16 0xe78e272 in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:481
    #17 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17
    #18 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
    #19 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
    #20 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
    #21 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
    #22 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
    #23 0x7f780e82d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #24 0x1431838 in _start (/mnt/mame/mame64_as+0x1431838)

Address 0x62900072c200 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1500:28 in write
Shadow bytes around the buggy address:
  0x0c52800dd7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c52800dd840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800dd890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems megadriv, megadrij
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
2
User avatar
No.14641
Firewave
Senior Tester
Jan 9, 2018, 22:01
m_nvram has a size of 0x2000 and the code tries to access it at 0x3000.

This asserts in a Visual Studio debug build.
User avatar
No.20731
Firewave
Senior Tester
Nov 5, 2022, 09:01
0.249 on Linux reports:
==1469==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290007ae200 at pc 0x7f2896842383 bp 0x7ffff87a5aa0 sp 0x7ffff87a5a98
WRITE of size 2 at 0x6290007ae200 thread T0
    #0 0x7f2896842382 in md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1574:28
    #1 0x7f2896842501 in non-virtual thunk to md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp
    #2 0x7f289681961d in base_md_cart_slot_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/md_slot.cpp:964:11
    #3 0x7f28a3f235e2 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #4 0x7f28a3f235e2 in std::enable_if<(((std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned char, unsigned char)> >::value) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::value)) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned int, unsigned int)> >::value)) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned long, unsigned long)> >::value), void>::type handler_entry_write_delegate<1, 0, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::write_impl<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >(unsigned int, unsigned short, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:115:2
    #5 0x7f28a3f23458 in handler_entry_write_delegate<1, 0, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::write(unsigned int, unsigned short, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:150:2
    #6 0x7f289925026b in void dispatch_write<1, 1, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<1>::uX, emu::detail::handler_entry_size<1>::uX, handler_entry_write<1, 0> const* const*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1577:47
    #7 0x7f289adc8ad7 in write_native /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1741:3
    #8 0x7f289adc8ad7 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1639:90
    #9 0x7f289adc8ad7 in void memory_write_generic<1, 0, (util::endianness)1, 1, true, emu::detail::memory_access_specific<1, 1, 0, (util::endianness)1>::wop()::'lambda'(unsigned int, unsigned short, unsigned short)>(emu::detail::memory_access_specific<1, 1, 0, (util::endianness)1>::wop()::'lambda'(unsigned int, unsigned short, unsigned short), unsigned int, emu::detail::handler_entry_size<1>::uX, emu::detail::handler_entry_size<1>::uX) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:921:10
    #10 0x7f289ada51d1 in write_word /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1659:56
    #11 0x7f289ada51d1 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:61
    #12 0x7f289ada51d1 in __invoke_impl<void, (lambda at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:14) &, unsigned int, unsigned char> /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
    #13 0x7f289ada51d1 in __invoke_r<void, (lambda at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:14) &, unsigned int, unsigned char> /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:111:2
    #14 0x7f289ada51d1 in std::_Function_handler<void (unsigned int, unsigned char), m68000_base_device::init16(address_space&, address_space&)::$_11>::_M_invoke(std::_Any_data const&, unsigned int&&, unsigned char&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:290:9
    #15 0x7f289b01db39 in std::function<void (unsigned int, unsigned char)>::operator()(unsigned int, unsigned char) const /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:591:9
    #16 0x7f289b019655 in m68000_base_device::m68ki_write_8_fc(unsigned int, unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:689:2
    #17 0x7f289b011b4d in m68000_base_device::m68ki_write_8(unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:432:58
    #18 0x7f289aed6b42 in m68000_base_device::x1080_move_b_071234fc() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kops.cpp:14917:2
    #19 0x7f289ad7e803 in m68000_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:909:5
    #20 0x7f289ad8085f in non-virtual thunk to m68000_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp
    #21 0x7f28a97145b7 in run /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:190:15
    #22 0x7f28a97145b7 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:456:14
    #23 0x7f28a95b2067 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
    #24 0x7f28a16c1caf in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #25 0x7f28a2a79026 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #26 0x7f28a2a7cb6f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #27 0x7f28a16c6a8f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #28 0x7f28a98a80fb in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #29 0x7f285c5e9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x7f285c5e92bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #31 0x7f2883238120 in _start (/mnt/s/GitHub/mame/mame+0x24d60120) (BuildId: 7b7aeda5846ab501)

Address 0x6290007ae200 is a wild pointer inside of access range of size 0x000000000002.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1574:28 in md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short)
Shadow bytes around the buggy address:
  0x0c52800edbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c52800edc40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c52800edc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb