| ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 07539 | Misc. | Critical (emulator) | Always | Jan 7, 2020, 17:51 | Nov 5, 2022, 08:58 |
| Tester | Firewave | View Status | Public | Platform | MAME (Self-compiled) |
| Assigned To | Resolution | Fixed | OS | Windows 10/11 (64-bit) | |
| Status [?] | Resolved | Driver | |||
| Version | 0.217 | Fixed in Version | Build | 32-bit | |
| Fixed in Git Commit | Github Pull Request # | ||||
| Summary |
 07539: ccmk5: AddressSanitizer: heap-buffer-overflow with -aviwrite |
||||
| Description |
=================================================================
==20452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x24ac3040 at pc 0x0683ceb5 bp 0x16bbb2fc sp 0x16bbb2f0
READ of size 4 at 0x24ac3040 thread T0
#0 0x683ceb4 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::get_texel_argb32+0xa4 (s:\dev\mame0217\mame.exe+0x616ceb4)
#1 0x68360fd in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_rgb32+0x1dd (s:\dev\mame0217\mame.exe+0x61660fd)
#2 0x6842172 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::setup_and_draw_textured_quad+0x6b2 (s:\dev\mame0217\mame.exe+0x6172172)
#3 0x6830956 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_primitives+0x136 (s:\dev\mame0217\mame.exe+0x6160956)
#4 0x682f69a in video_manager::create_snapshot_bitmap+0x4ea (s:\dev\mame0217\mame.exe+0x615f69a)
#5 0x683f7d1 in video_manager::record_frame+0x201 (s:\dev\mame0217\mame.exe+0x616f7d1)
#6 0x683c754 in video_manager::finish_screen_updates+0x514 (s:\dev\mame0217\mame.exe+0x616c754)
#7 0x683cb10 in video_manager::frame_update+0x50 (s:\dev\mame0217\mame.exe+0x616cb10)
#8 0x63a9878 in screen_device::vblank_begin+0x88 (s:\dev\mame0217\mame.exe+0x5cd9878)
#9 0x63a1ef4 in screen_device::device_timer+0x24 (s:\dev\mame0217\mame.exe+0x5cd1ef4)
#10 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa)
#11 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894)
#12 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1)
#13 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
#14 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
#15 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
#16 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
#17 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
#18 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
#19 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#20 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
#21 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
#22 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)
0x24ac3040 is located 0 bytes to the right of 4069440-byte region [0x246e1800,0x24ac3040)
allocated by thread T0 here:
#0 0x138326d in operator new[] D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102
#1 0x2385b7b in bitmap_t::allocate+0x19b (s:\dev\mame0217\mame.exe+0x1cb5b7b)
#2 0x63a6237 in screen_device::register_screen_bitmap+0x187 (s:\dev\mame0217\mame.exe+0x5cd6237)
#3 0x63a16e3 in screen_device::device_start+0x173 (s:\dev\mame0217\mame.exe+0x5cd16e3)
#4 0x62ff127 in device_t::start+0x97 (s:\dev\mame0217\mame.exe+0x5c2f127)
#5 0x66ad879 in running_machine::start_all_devices+0x489 (s:\dev\mame0217\mame.exe+0x5fdd879)
#6 0x66ad287 in running_machine::start+0x807 (s:\dev\mame0217\mame.exe+0x5fdd287)
#7 0x66abb05 in running_machine::run+0x175 (s:\dev\mame0217\mame.exe+0x5fdbb05)
#8 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
#9 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
#10 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
#11 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
#12 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
#13 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#14 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
#15 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
#16 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)
SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x616ceb4) in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::get_texel_argb32+0xa4
Shadow bytes around the buggy address:
0x349585b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x349585c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x349585d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x349585e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x349585f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x34958600: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x34958610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34958620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34958630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34958640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x34958650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==20452==ABORTING
|
||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Github Commit | |||||
| Flags | |||||
| Regression Version | |||||
| Affected Sets / Systems | ccmk5 | ||||
|
Attached Files
|
|||||
 No.17343
hap Developer
Jan 9, 2020, 15:38
|
Do you get the same thing with this? mame pacman -snapsize 2178x2118 -aviwrite a.avi |
|---|---|
 No.17345
Firewave Senior Tester
Jan 9, 2020, 21:35
|
No. That gives no errors but produces a massive AVI :D |
|
No.17357
Firewave Senior Tester
Jan 12, 2020, 00:51
|
In draw_quad_rgb32() the prim.texture it reads from is 942x1080, but it wants to read x from 1127 to 2070 which is 943 which is obviously too much. When the error occurs it is x = 2069. The bounds of the primitive are actuallyx0 1127.49377 float y0 116.057442 float x1 2069.65186 float y1 1196.00000 floatso startx is rounded down and endx is rounded up. |
|
No.20729
Firewave Senior Tester
Nov 5, 2022, 08:58
|
No ASAN error with 0.249 on Linux. |