Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PATCH] Rocks N Diamonds 4.3.2.2 segfaults in LoadLevel_CUSX/GRPX on corrupt level files generated with AFL++ #7

Closed
Quipyowert2 opened this issue Aug 18, 2022 · 1 comment
Closed

[PATCH] Rocks N Diamonds 4.3.2.2 segfaults in LoadLevel_CUSX/GRPX on corrupt level files generated with AFL++ #7

Quipyowert2 opened this issue Aug 18, 2022 · 1 comment

Comments

@Quipyowert2
Copy link

Quipyowert2 commented Aug 18, 2022
edited

Rocks N Diamonds v4.3.2.2 commit 1d7ec87 (artsoft/master) segfaults when loading level files generated with the American Fuzzy Lop++ 4.01a fuzzer starting with an empty level.

The command I used to find these crashing inputs in RnD was afl-fuzz -i input -o output ./rocksndiamonds -e 'dump level @@'

The crash in LoadLevel_CUSX is because RnD tries to access element 10 and beyond of ei->change_page which is a ten element array. LoadLevel_GRPX crashes because ei->group is NULL and then tries to dereference it.

I compiled SDL2, SDL_image, SDL_mixer, and SDL_net myself because the SDL2 package in the openSUSE repos was older than the version that introduced SDL_OpenURL.

I tried to debug this issue before, but I kept encountering <optimized out> variables. This time I compiled with -O0 and was able to figure out a simple patch to fix the issue.

I have attached the zip of the levels which crash RnD and the Valgrind output from running Valgrind 3.18.1 on rocksndiamonds like this: valgrind ./rocksndiamonds -e 'dump level crashes/id:000001,sig:11,src:000801+000501,time:100941896,execs:2536255,op:splice,rep:8'. LoadLevel_GRPX-1d7ec871.txt contains the output of that command and LoadLevel_CUSX1d7ec871.txt contains the output of running Valgrind on Rocksndiamonds running dump level on the id:000000,sig:11,src:000370+000640,time:250246985,execs:5048867,op:splice,rep:4 file.

Environment:
openSUSE 15.4 in Windows Subsystem for Linux running in Windows 10
Rocks n Diamonds 4.3.2.2
AFL++ 4.01a
Valgrind 3.18.1
SDL 2.23.1
SDL_image 2.5.2
SDL_mixer 2.5.2
SDL_net 2.1.0

Here is a patch which seems to fix the crashes:

diff --git a/src/files.c b/src/files.c
index 8889f810..5633786d 100644
--- a/src/files.c
+++ b/src/files.c
@@ -3356,6 +3356,8 @@ static int LoadLevel_CUSX(File *file, int chunk_size, struct LevelInfo *level)
   while (!checkEndOfFile(file))
   {
     struct ElementChangeInfo *change = &ei->change_page[xx_current_change_page];
+    if (xx_current_change_page >= ei->num_change_pages)
+      break;
 
     xx_change = *change;	// copy change data into temporary buffer
 
@@ -3383,6 +3385,8 @@ static int LoadLevel_GRPX(File *file, int chunk_size, struct LevelInfo *level)
   int real_chunk_size = 2;
   struct ElementInfo *ei = &element_info[element];
   struct ElementGroupInfo *group = ei->group;
+  if (!group)
+    return 0;
 
   xx_ei = *ei;		// copy element data into temporary buffer
   xx_group = *group;	// copy group data into temporary buffer

crashinglevels.zip
LoadLevel_CUSX-1d7ec871.txt
LoadLevel_GRPX-1d7ec871.txt
@Quipyowert2 Quipyowert2 changed the title Rocks N Diamonds segfaults in LoadLevel_CUSX/GRPX on corrupt level files generated with AFL++ [PATCH] Rocks N Diamonds 4.3.2.2 segfaults in LoadLevel_CUSX/GRPX on corrupt level files generated with AFL++ Aug 18, 2022
@Quipyowert2
Copy link
Author

The latest Rocks 'N' Diamonds 4.3.6.0-gf627531a doesn't crash anymore with the corrupted level files. This issue can be closed.

Also reported here: forum post 17885.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Quipyowert2