07543: rungund, rungunad, rungunbd, rungunuad, rungunud, slmdunkjd: AddressSanitizer: heap-buffer-overflow with -aviwrite

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
07543	Misc.	Critical (emulator)	Always	Jan 8, 2020, 10:10	Nov 2, 2022, 00:04

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To		Resolution	Open	OS	Windows 10 (64-bit)
Status [?]	Acknowledged			Driver	konami/rungun.cpp
Version	0.217	Fixed in Version		Build	32-bit
		Fixed in Git Commit		Github Pull Request #

Summary	07543: rungund, rungunad, rungunbd, rungunuad, rungunud, slmdunkjd: AddressSanitizer: heap-buffer-overflow with -aviwrite
Description	================================================================= ==15124==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x212ea520 at pc 0x06834ad1 bp 0x004fad0c sp 0x004fad0c READ of size 4 at 0x212ea520 thread T0 #0 0x6834ad0 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_palette16_none+0x200 (s:\dev\mame0217\mame.exe+0x6164ad0) #1 0x68421b3 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::setup_and_draw_textured_quad+0x6f3 (s:\dev\mame0217\mame.exe+0x61721b3) #2 0x6830956 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_primitives+0x136 (s:\dev\mame0217\mame.exe+0x6160956) #3 0x682f69a in video_manager::create_snapshot_bitmap+0x4ea (s:\dev\mame0217\mame.exe+0x615f69a) #4 0x683f7d1 in video_manager::record_frame+0x201 (s:\dev\mame0217\mame.exe+0x616f7d1) #5 0x683c754 in video_manager::finish_screen_updates+0x514 (s:\dev\mame0217\mame.exe+0x616c754) #6 0x683cb10 in video_manager::frame_update+0x50 (s:\dev\mame0217\mame.exe+0x616cb10) #7 0x63a9878 in screen_device::vblank_begin+0x88 (s:\dev\mame0217\mame.exe+0x5cd9878) #8 0x63a1ef4 in screen_device::device_timer+0x24 (s:\dev\mame0217\mame.exe+0x5cd1ef4) #9 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa) #10 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894) #11 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1) #12 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95) #13 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc) #14 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a) #15 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104) #16 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259) #17 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be) #18 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #19 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #20 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #21 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) Address 0x212ea520 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x6164ad0) in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_palette16_none+0x200 Shadow bytes around the buggy address: 0x3425d450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x3425d4a0: 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00 0x3425d4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3425d4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==15124==ABORTING
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	rungund, rungunad, rungunbd, rungunuad, rungunud, slmdunkjd

Attached Files

No.17358 Firewave Senior Tester Jan 12, 2020, 12:42	Using -video d3d it errors out much earlier ================================================================= ==18168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x41517120 at pc 0x09de9af9 bp 0x161bacdc sp 0x161bacd0 READ of size 4 at 0x41517120 thread T0 ==18168==WARNING: Failed to use and restart external symbolizer! #0 0x9de9af8 in texture_info::copyline_palette16 s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224 #1 0x9df34d0 in texture_info::set_data s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2442 #2 0x9de5e6c in texture_info::texture_info s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2111 #3 0x9df5683 in d3d_texture_manager::update_textures s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:605 #4 0x9de8366 in renderer_d3d9::begin_frame s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:667 #5 0x9ded34b in renderer_d3d9::draw s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:239 #6 0x9dcdd4a in win_window_info::draw_video_contents s:\dev\mame0217\src\osd\windows\window.cpp:1437 #7 0x9dd0e3b in win_window_info::video_window_proc s:\dev\mame0217\src\osd\windows\window.cpp:1360 #8 0x9dd7216 in winwindow_video_window_proc_ui s:\dev\mame0217\src\osd\windows\winmenu.cpp:23 #9 0x767846ca in AddClipboardFormatListener+0x4a (C:\WINDOWS\System32\USER32.dll+0x69e446ca) #10 0x767660bb in CallWindowProcW+0xb2b (C:\WINDOWS\System32\USER32.dll+0x69e260bb) #11 0x7676586c in CallWindowProcW+0x2dc (C:\WINDOWS\System32\USER32.dll+0x69e2586c) #12 0x76765532 in SendMessageW+0x122 (C:\WINDOWS\System32\USER32.dll+0x69e25532) #13 0x9dcfe05 in win_window_info::update s:\dev\mame0217\src\osd\windows\window.cpp:922 #14 0x9e0717a in windows_osd_interface::update s:\dev\mame0217\src\osd\windows\video.cpp:94 #15 0x5df7e1c in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:238 #16 0x596a652 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660 #17 0x5962975 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959 #18 0x5c586dd in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317 #19 0x5c58d7c in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907 #20 0x5c5bdfe in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544 #21 0x5c6a220 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372 #22 0x6b0b15c in mame_machine_manager::execute+0x52c (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9b15c) #23 0x6b2d54a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6ebd54a) #24 0x6b252d4 in cli_frontend::execute+0x174 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6eb52d4) #25 0x6b0c0b9 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9c0b9) #26 0x9dd57fe in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323 #27 0x9b78e39 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #28 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #29 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #30 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) Address 0x41517120 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224 in texture_info::copyline_palette16 Shadow bytes around the buggy address: 0x382a2dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x382a2e20: 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00 0x382a2e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x382a2e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc
No.17359 Firewave Senior Tester Jan 13, 2020, 17:44	Looks like the palette is accessed out of bounds in texture_info::copyline_palette16(): Address 0x41517120 is a wild pointer. + palette 0x41514120 {m_data=4278190080 } const rgb_t * + src 0x2be678b0 {3072} const unsigned short *
No.20683 Firewave Senior Tester Nov 2, 2022, 00:04	Also happens when taking a snapshot on Linux with 0.249: ================================================================= ==30538==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000157100 at pc 0x7f66e0e2cb48 bp 0x7ffff0082d20 sp 0x7ffff0082d18 READ of size 4 at 0x621000157100 thread T0 #0 0x7f66e0e2cb47 in operator unsigned int /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47 #1 0x7f66e0e2cb47 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::get_texel_palette16(render_texinfo const&, int, int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:148:16 #2 0x7f66e0e104e6 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_quad_palette16_none(render_primitive const&, unsigned int, unsigned int, software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::quad_setup_data const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:684:22 #3 0x7f66e0e0df43 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::setup_and_draw_textured_quad(render_primitive const&, unsigned int, int, int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1782:5 #4 0x7f66e0e07802 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_primitives(render_primitive_list const&, void, unsigned int, unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1867:7 #5 0x7f66e0e007c8 in video_manager::create_snapshot_bitmap(screen_device) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1046:3 #6 0x7f66e0dff568 in video_manager::save_snapshot(screen_device, util::core_file&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:329:2 #7 0x7f66e0dfde55 in video_manager::recompute_speed(attotime const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1005:5 #8 0x7f66e0dfb0e8 in video_manager::frame_update(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:261:4 #9 0x7f66e0cf47c8 in screen_device::vblank_begin(int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1646:21 #10 0x7f66e0cdd304 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11 #11 0x7f66e0cdd304 in device_scheduler::execute_timers() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:951:5 #12 0x7f66e0cd8858 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:505:2 #13 0x7f66e0b704a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17 #14 0x7f66e3cd6f7f in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19 #15 0x7f66e3ecb8d6 in cli_frontend::start_execution(mame_machine_manager, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22 #16 0x7f66e3ecf41f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3 #17 0x7f66e3cdbd5f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18 #18 0x7f66e0eb258b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9 #19 0x7f669f3b9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #20 0x7f669f3b92bb in __libc_start_main csu/../csu/libc-start.c:389:3 #21 0x7f66be63c260 in _start (/mnt/s/GitHub/mame/mame+0x1d397260) (BuildId: 603d3d1c300651feb2a8e3ac6e9cb58d3f85e77b) Address 0x621000157100 is a wild pointer inside of access range of size 0x000000000004. SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47 in operator unsigned int Shadow bytes around the buggy address: 0x0c4280022dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4280022e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4280022e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30538==ABORTING

No.17358

Firewave

Senior Tester

Jan 12, 2020, 12:42

Using -video d3d it errors out much earlier

=================================================================
==18168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x41517120 at pc 0x09de9af9 bp 0x161bacdc sp 0x161bacd0
READ of size 4 at 0x41517120 thread T0
==18168==WARNING: Failed to use and restart external symbolizer!
    #0 0x9de9af8 in texture_info::copyline_palette16 s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224
    #1 0x9df34d0 in texture_info::set_data s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2442
    #2 0x9de5e6c in texture_info::texture_info s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2111
    #3 0x9df5683 in d3d_texture_manager::update_textures s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:605
    #4 0x9de8366 in renderer_d3d9::begin_frame s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:667
    #5 0x9ded34b in renderer_d3d9::draw s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:239
    #6 0x9dcdd4a in win_window_info::draw_video_contents s:\dev\mame0217\src\osd\windows\window.cpp:1437
    #7 0x9dd0e3b in win_window_info::video_window_proc s:\dev\mame0217\src\osd\windows\window.cpp:1360
    #8 0x9dd7216 in winwindow_video_window_proc_ui s:\dev\mame0217\src\osd\windows\winmenu.cpp:23
    #9 0x767846ca in AddClipboardFormatListener+0x4a (C:\WINDOWS\System32\USER32.dll+0x69e446ca)
    #10 0x767660bb in CallWindowProcW+0xb2b (C:\WINDOWS\System32\USER32.dll+0x69e260bb)
    #11 0x7676586c in CallWindowProcW+0x2dc (C:\WINDOWS\System32\USER32.dll+0x69e2586c)
    #12 0x76765532 in SendMessageW+0x122 (C:\WINDOWS\System32\USER32.dll+0x69e25532)
    #13 0x9dcfe05 in win_window_info::update s:\dev\mame0217\src\osd\windows\window.cpp:922
    #14 0x9e0717a in windows_osd_interface::update s:\dev\mame0217\src\osd\windows\video.cpp:94
    #15 0x5df7e1c in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:238
    #16 0x596a652 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660
    #17 0x5962975 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959
    #18 0x5c586dd in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #19 0x5c58d7c in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #20 0x5c5bdfe in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #21 0x5c6a220 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #22 0x6b0b15c in mame_machine_manager::execute+0x52c (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9b15c)
    #23 0x6b2d54a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6ebd54a)
    #24 0x6b252d4 in cli_frontend::execute+0x174 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6eb52d4)
    #25 0x6b0c0b9 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9c0b9)
    #26 0x9dd57fe in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #27 0x9b78e39 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #28 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #29 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #30 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

Address 0x41517120 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224 in texture_info::copyline_palette16
Shadow bytes around the buggy address:
  0x382a2dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x382a2e20: 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00
  0x382a2e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

No.17359

Firewave

Senior Tester

Jan 13, 2020, 17:44

Looks like the palette is accessed out of bounds in texture_info::copyline_palette16():

Address 0x41517120 is a wild pointer.

+		palette	0x41514120 {m_data=4278190080 }	const rgb_t *
+		src	0x2be678b0 {3072}	const unsigned short *

No.20683

Firewave

Senior Tester

Nov 2, 2022, 00:04

Also happens when taking a snapshot on Linux with 0.249:

=================================================================
==30538==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000157100 at pc 0x7f66e0e2cb48 bp 0x7ffff0082d20 sp 0x7ffff0082d18
READ of size 4 at 0x621000157100 thread T0
    #0 0x7f66e0e2cb47 in operator unsigned int /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47
    #1 0x7f66e0e2cb47 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::get_texel_palette16(render_texinfo const&, int, int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:148:16
    #2 0x7f66e0e104e6 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_quad_palette16_none(render_primitive const&, unsigned int*, unsigned int, software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::quad_setup_data const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:684:22
    #3 0x7f66e0e0df43 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::setup_and_draw_textured_quad(render_primitive const&, unsigned int*, int, int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1782:5
    #4 0x7f66e0e07802 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_primitives(render_primitive_list const&, void*, unsigned int, unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1867:7
    #5 0x7f66e0e007c8 in video_manager::create_snapshot_bitmap(screen_device*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1046:3
    #6 0x7f66e0dff568 in video_manager::save_snapshot(screen_device*, util::core_file&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:329:2
    #7 0x7f66e0dfde55 in video_manager::recompute_speed(attotime const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1005:5
    #8 0x7f66e0dfb0e8 in video_manager::frame_update(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:261:4
    #9 0x7f66e0cf47c8 in screen_device::vblank_begin(int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1646:21
    #10 0x7f66e0cdd304 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #11 0x7f66e0cdd304 in device_scheduler::execute_timers() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:951:5
    #12 0x7f66e0cd8858 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:505:2
    #13 0x7f66e0b704a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
    #14 0x7f66e3cd6f7f in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #15 0x7f66e3ecb8d6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #16 0x7f66e3ecf41f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #17 0x7f66e3cdbd5f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #18 0x7f66e0eb258b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #19 0x7f669f3b9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7f669f3b92bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #21 0x7f66be63c260 in _start (/mnt/s/GitHub/mame/mame+0x1d397260) (BuildId: 603d3d1c300651feb2a8e3ac6e9cb58d3f85e77b)

Address 0x621000157100 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47 in operator unsigned int
Shadow bytes around the buggy address:
  0x0c4280022dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280022e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30538==ABORTING