Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07542 Misc. Critical (emulator) Always Jan 8, 2020, 10:08 Nov 5, 2022, 08:50
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Fixed OS Windows 10 (64-bit)
Status [?] Resolved Driver
Version 0.217 Fixed in Version Build 32-bit
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 07542: tc2048: AddressSanitizer: heap-buffer-overflow
Description
=================================================================
==9976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x22823c00 at pc 0x079a329f bp 0x006fbb38 sp 0x006fbb38
READ of size 1 at 0x22823c00 thread T0
    #0 0x79a329e in spectrum_state::spectrum_UpdateScreenBitmap+0x18e (s:\dev\mame0217\mame.exe+0x72d329e)
    #1 0x796d738 in spectrum_state::device_timer+0x98 (s:\dev\mame0217\mame.exe+0x729d738)
    #2 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa)
    #3 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894)
    #4 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1)
    #5 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
    #6 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #7 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #8 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #9 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #10 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #11 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #12 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #13 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #14 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

Address 0x22823c00 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x72d329e) in spectrum_state::spectrum_UpdateScreenBitmap+0x18e
Shadow bytes around the buggy address:
  0x34504730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x34504740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x34504750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x34504760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x34504770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x34504780:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x34504790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x345047a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x345047b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x345047c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x345047d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9976==ABORTING 
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems tc2048
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
2
User avatar
No.17360
Firewave
Senior Tester
Jan 14, 2020, 07:24
It uses MCFG_VIDEO_START_OVERRIDE(timex_state, spectrum_128 ) which starts accessing m_ram->pointer() at 5 << 14 so m_screen_location is a wild pointer (so wild - in my case it even contains the src location string). It appears the RAM for tc2048 of 48K is too small. Other machines using spectrum_128 have 128K.
User avatar
No.20726
Firewave
Senior Tester
Nov 5, 2022, 08:50
No ASAN error reported with 0.249 on Linux.