Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

morph_checkers: broken in cxx #9

Open
Starlon opened this issue Apr 18, 2012 · 3 comments
Open

morph_checkers: broken in cxx #9

Starlon opened this issue Apr 18, 2012 · 3 comments
Milestone

Comments

@Starlon
Copy link
Member

Starlon commented Apr 18, 2012

This morph plugin seems not to work with libvisual/cxx. Did something change regarding blitting with VisRectangle constraint functions?

@kaixiong
Copy link
Member

kaixiong commented Jan 5, 2013

I've just checked the code for creating sub-videos and it looks quite broken. Fixing it should fix morph_checkers.

@rigid
Copy link
Member

rigid commented Mar 3, 2013

changed milestone to 0.5.1 since this isn't necessarily a showstopper for the next release

@kaixiong
Copy link
Member

Depends on #64

hartwork added a commit that referenced this issue Jan 25, 2023
.. by adding the missing virtual destructor to class Hashable.

ASan output was:
> =================================================================
> ==21660==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x603000079d20 in thread T0:
>   object passed to delete has wrong type:
>   size of the allocated type:   32 bytes;
>   size of the deallocated type: 8 bytes.
>     #0 0x7f98137dc2a7 in operator delete(void*, unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:172
>     #1 0x7f9802700116 in Hashtable::RemoveAll() [..]/libvisual-plugins/plugins/actor/G-Force/Common/GeneralTools/Hashtable.cpp:202
>     #2 0x7f980270023f in Hashtable::~Hashtable() [..]/libvisual-plugins/plugins/actor/G-Force/Common/GeneralTools/Hashtable.cpp:32
>     #3 0x7f98026dc9d5 in ExpressionDict::~ExpressionDict() ../../../../plugins/actor/G-Force/Common/math/Headers/ExpressionDict.h:20
>     #4 0x7f98026dc9d5 in WaveShape::~WaveShape() ../../../../plugins/actor/G-Force/GForceCommon/Headers/WaveShape.h:11
>     #5 0x7f98026dc9d5 in GForce::~GForce() [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:249
>     #6 0x7f980270e7a5 in lv_gforce_cleanup [..]/libvisual-plugins/plugins/actor/G-Force/unix/libvisual/actor_gforce.cpp:140
>     #7 0x7f981367e236 in visual_plugin_unload [..]/libvisual/libvisual/lv_plugin.c:655
>     #8 0x7f9813674563 in actor_dtor [..]/libvisual/libvisual/lv_actor.c:52
>     #9 0x7f98136aa9e8 in visual_object_destroy [..]/libvisual/libvisual/lv_object.c:104
>     #10 0x7f981367c090 in visual_bin_switch_finalize [..]/libvisual/libvisual/lv_bin.c:695
>     #11 0x7f981367c9dd in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:853
>     #12 0x5649c53eeedc in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:108
>     #13 0x5649c53eeedc in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:853
>     #14 0x7f981317e209  (/lib64/libc.so.6+0x2a209)
>     #15 0x7f981317e2bb in __libc_start_main (/lib64/libc.so.6+0x2a2bb)
>     #16 0x5649c53f2110 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0xa110)
>
> 0x603000079d20 is located 0 bytes inside of 32-byte region [0x603000079d20,0x603000079d40)
> allocated by thread T0 here:
>     #0 0x7f98137db247 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:99
>     #1 0x7f98026edd5e in ExpressionDict::AddVar(char*, float*) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/ExpressionDict.cpp:15
>     #2 0x7f98026e9331 in ExpressionDict::AddVar(UtilStr&, float*) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/Headers/ExpressionDict.h:27
>     #3 0x7f98026e9331 in ExprArray::Compile(ArgList const&, long, ExpressionDict&) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/ExprArray.cpp:67
>     #4 0x7f98026e0900 in WaveShape::Load(ArgList&, long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/WaveShape.cpp:76
>     #5 0x7f98026d898d in GForce::loadWaveShape(long, bool) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:1251
>     #6 0x7f98026db109 in GForce::RecordSample(long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:917
>     #7 0x7f980270ea8e in lv_gforce_render [..]/libvisual-plugins/plugins/actor/G-Force/unix/libvisual/actor_gforce.cpp:264
>     #8 0x7f98136767de in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:777
>     #9 0x7f981367c71a in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:865
>     #10 0x5649c53eeedc in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:108
>     #11 0x5649c53eeedc in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:853
>     #12 0x7f981317e209  (/lib64/libc.so.6+0x2a209)
>
> SUMMARY: AddressSanitizer: new-delete-type-mismatch /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:172 in operator delete(void*, unsigned long)
> ==21660==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0
> ==21660==ABORTING
hartwork added a commit that referenced this issue Jan 25, 2023
.. by adding the missing virtual destructor to class Hashable.

ASan output was:
> =================================================================
> ==21660==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x603000079d20 in thread T0:
>   object passed to delete has wrong type:
>   size of the allocated type:   32 bytes;
>   size of the deallocated type: 8 bytes.
>     #0 0x7f98137dc2a7 in operator delete(void*, unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:172
>     #1 0x7f9802700116 in Hashtable::RemoveAll() [..]/libvisual-plugins/plugins/actor/G-Force/Common/GeneralTools/Hashtable.cpp:202
>     #2 0x7f980270023f in Hashtable::~Hashtable() [..]/libvisual-plugins/plugins/actor/G-Force/Common/GeneralTools/Hashtable.cpp:32
>     #3 0x7f98026dc9d5 in ExpressionDict::~ExpressionDict() ../../../../plugins/actor/G-Force/Common/math/Headers/ExpressionDict.h:20
>     #4 0x7f98026dc9d5 in WaveShape::~WaveShape() ../../../../plugins/actor/G-Force/GForceCommon/Headers/WaveShape.h:11
>     #5 0x7f98026dc9d5 in GForce::~GForce() [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:249
>     #6 0x7f980270e7a5 in lv_gforce_cleanup [..]/libvisual-plugins/plugins/actor/G-Force/unix/libvisual/actor_gforce.cpp:140
>     #7 0x7f981367e236 in visual_plugin_unload [..]/libvisual/libvisual/lv_plugin.c:655
>     #8 0x7f9813674563 in actor_dtor [..]/libvisual/libvisual/lv_actor.c:52
>     #9 0x7f98136aa9e8 in visual_object_destroy [..]/libvisual/libvisual/lv_object.c:104
>     #10 0x7f981367c090 in visual_bin_switch_finalize [..]/libvisual/libvisual/lv_bin.c:695
>     #11 0x7f981367c9dd in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:853
>     #12 0x5649c53eeedc in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:108
>     #13 0x5649c53eeedc in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:853
>     #14 0x7f981317e209  (/lib64/libc.so.6+0x2a209)
>     #15 0x7f981317e2bb in __libc_start_main (/lib64/libc.so.6+0x2a2bb)
>     #16 0x5649c53f2110 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0xa110)
>
> 0x603000079d20 is located 0 bytes inside of 32-byte region [0x603000079d20,0x603000079d40)
> allocated by thread T0 here:
>     #0 0x7f98137db247 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:99
>     #1 0x7f98026edd5e in ExpressionDict::AddVar(char*, float*) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/ExpressionDict.cpp:15
>     #2 0x7f98026e9331 in ExpressionDict::AddVar(UtilStr&, float*) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/Headers/ExpressionDict.h:27
>     #3 0x7f98026e9331 in ExprArray::Compile(ArgList const&, long, ExpressionDict&) [..]/libvisual-plugins/plugins/actor/G-Force/Common/math/ExprArray.cpp:67
>     #4 0x7f98026e0900 in WaveShape::Load(ArgList&, long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/WaveShape.cpp:76
>     #5 0x7f98026d898d in GForce::loadWaveShape(long, bool) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:1251
>     #6 0x7f98026db109 in GForce::RecordSample(long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:917
>     #7 0x7f980270ea8e in lv_gforce_render [..]/libvisual-plugins/plugins/actor/G-Force/unix/libvisual/actor_gforce.cpp:264
>     #8 0x7f98136767de in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:777
>     #9 0x7f981367c71a in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:865
>     #10 0x5649c53eeedc in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:108
>     #11 0x5649c53eeedc in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:853
>     #12 0x7f981317e209  (/lib64/libc.so.6+0x2a209)
>
> SUMMARY: AddressSanitizer: new-delete-type-mismatch /var/tmp/portage/sys-devel/gcc-11.3.1_p20221223/work/gcc-11-20221223/libsanitizer/asan/asan_new_delete.cpp:172 in operator delete(void*, unsigned long)
> ==21660==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0
> ==21660==ABORTING
hartwork added a commit that referenced this issue Feb 14, 2023
Could be triggered by resizing the window to be of tiny width.

m_reflArray is an array of int elements and all loops oprate on
"m_real_height - m_height" elements.  So if the loop code is correct,
then we need "(m_real_height - m_height) * sizeof(int)" many bytes
for m_reflArray.

Symptom through the eyes of AddressSanitizer:
> =================================================================
> ==20990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbec at pc 0x7fe65de62216 bp 0x7ffd745ec810 sp 0x7ffd745ec808
> WRITE of size 4 at 0x61400000cbec thread T0
>     #0 0x7fe65de62215 in Corona::genReflectedWaves(double) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311
>     #1 0x7fe65de62262 in Corona::drawReflected() [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:317
>     #2 0x7fe65de6369f in Corona::update(TimedLevel*) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:504
>     #3 0x7fe65de5fe22 in lv_corona_render [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:278
>     #4 0x7fe66286edb4 in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:783
>     #5 0x7fe662874aac in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:867
>     #6 0x55a1ec4d51ee in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:111
>     #7 0x55a1ec4d51ee in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:869
>     #8 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>     #9 0x55a1ec4d2889 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0x5889)
>
> 0x61400000cbec is located 0 bytes to the right of 428-byte region [0x61400000ca40,0x61400000cbec)
> allocated by thread T0 here:
>     #0 0x7fe662a2ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7fe65de612d2 in Corona::setUpSurface(int, int) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:109
>     #2 0x7fe65de602ed in lv_corona_dimension [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:198
>     #3 0x7fe65de604a9 in lv_corona_events [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:210
>     #4 0x7fe662875b94 in visual_plugin_events_pump [..]/libvisual/libvisual/lv_plugin.c:241
>     #5 0x7fe66286e6d2 in negotiate_video [..]/libvisual/libvisual/lv_actor.c:613
>     #6 0x7fe66286e6d2 in visual_actor_video_negotiate [..]/libvisual/libvisual/lv_actor.c:538
>     #7 0x7fe6628718c4 in visual_bin_sync [..]/libvisual/libvisual/lv_bin.c:346
>     #8 0x55a1ec4d640f in LV::Bin::sync(bool) [..]/libvisual/tools/lv-tool/lv-tool.cpp:103
>     #9 0x55a1ec4d640f in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:926
>     #10 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311 in Corona::genReflectedWaves(double)
> Shadow bytes around the buggy address:
>   0x0c287fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 06 fa fa fa
>   0x0c287fff9940: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c287fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c287fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
>   0x0c287fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==20990==ABORTING
hartwork added a commit that referenced this issue Feb 14, 2023
Could be triggered by resizing the window to be of tiny width.

m_reflArray is an array of int elements and all loops operate on
"m_real_height - m_height" elements.  So if the loop code is correct,
then we need "(m_real_height - m_height) * sizeof(int)" many bytes
for m_reflArray.

Symptom through the eyes of AddressSanitizer:
> =================================================================
> ==20990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbec at pc 0x7fe65de62216 bp 0x7ffd745ec810 sp 0x7ffd745ec808
> WRITE of size 4 at 0x61400000cbec thread T0
>     #0 0x7fe65de62215 in Corona::genReflectedWaves(double) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311
>     #1 0x7fe65de62262 in Corona::drawReflected() [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:317
>     #2 0x7fe65de6369f in Corona::update(TimedLevel*) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:504
>     #3 0x7fe65de5fe22 in lv_corona_render [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:278
>     #4 0x7fe66286edb4 in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:783
>     #5 0x7fe662874aac in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:867
>     #6 0x55a1ec4d51ee in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:111
>     #7 0x55a1ec4d51ee in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:869
>     #8 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>     #9 0x55a1ec4d2889 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0x5889)
>
> 0x61400000cbec is located 0 bytes to the right of 428-byte region [0x61400000ca40,0x61400000cbec)
> allocated by thread T0 here:
>     #0 0x7fe662a2ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7fe65de612d2 in Corona::setUpSurface(int, int) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:109
>     #2 0x7fe65de602ed in lv_corona_dimension [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:198
>     #3 0x7fe65de604a9 in lv_corona_events [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:210
>     #4 0x7fe662875b94 in visual_plugin_events_pump [..]/libvisual/libvisual/lv_plugin.c:241
>     #5 0x7fe66286e6d2 in negotiate_video [..]/libvisual/libvisual/lv_actor.c:613
>     #6 0x7fe66286e6d2 in visual_actor_video_negotiate [..]/libvisual/libvisual/lv_actor.c:538
>     #7 0x7fe6628718c4 in visual_bin_sync [..]/libvisual/libvisual/lv_bin.c:346
>     #8 0x55a1ec4d640f in LV::Bin::sync(bool) [..]/libvisual/tools/lv-tool/lv-tool.cpp:103
>     #9 0x55a1ec4d640f in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:926
>     #10 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311 in Corona::genReflectedWaves(double)
> Shadow bytes around the buggy address:
>   0x0c287fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 06 fa fa fa
>   0x0c287fff9940: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c287fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c287fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
>   0x0c287fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==20990==ABORTING
hartwork added a commit that referenced this issue Feb 16, 2023
Could be triggered by resizing the window to be of tiny width.

m_reflArray is an array of int elements and all loops operate on
"m_real_height - m_height" elements.  So if the loop code is correct,
then we need "(m_real_height - m_height) * sizeof(int)" many bytes
for m_reflArray.

Symptom through the eyes of AddressSanitizer:
> =================================================================
> ==20990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbec at pc 0x7fe65de62216 bp 0x7ffd745ec810 sp 0x7ffd745ec808
> WRITE of size 4 at 0x61400000cbec thread T0
>     #0 0x7fe65de62215 in Corona::genReflectedWaves(double) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311
>     #1 0x7fe65de62262 in Corona::drawReflected() [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:317
>     #2 0x7fe65de6369f in Corona::update(TimedLevel*) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:504
>     #3 0x7fe65de5fe22 in lv_corona_render [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:278
>     #4 0x7fe66286edb4 in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:783
>     #5 0x7fe662874aac in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:867
>     #6 0x55a1ec4d51ee in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:111
>     #7 0x55a1ec4d51ee in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:869
>     #8 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>     #9 0x55a1ec4d2889 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0x5889)
>
> 0x61400000cbec is located 0 bytes to the right of 428-byte region [0x61400000ca40,0x61400000cbec)
> allocated by thread T0 here:
>     #0 0x7fe662a2ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7fe65de612d2 in Corona::setUpSurface(int, int) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:109
>     #2 0x7fe65de602ed in lv_corona_dimension [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:198
>     #3 0x7fe65de604a9 in lv_corona_events [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:210
>     #4 0x7fe662875b94 in visual_plugin_events_pump [..]/libvisual/libvisual/lv_plugin.c:241
>     #5 0x7fe66286e6d2 in negotiate_video [..]/libvisual/libvisual/lv_actor.c:613
>     #6 0x7fe66286e6d2 in visual_actor_video_negotiate [..]/libvisual/libvisual/lv_actor.c:538
>     #7 0x7fe6628718c4 in visual_bin_sync [..]/libvisual/libvisual/lv_bin.c:346
>     #8 0x55a1ec4d640f in LV::Bin::sync(bool) [..]/libvisual/tools/lv-tool/lv-tool.cpp:103
>     #9 0x55a1ec4d640f in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:926
>     #10 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311 in Corona::genReflectedWaves(double)
> Shadow bytes around the buggy address:
>   0x0c287fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 06 fa fa fa
>   0x0c287fff9940: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c287fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c287fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
>   0x0c287fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==20990==ABORTING
hartwork added a commit that referenced this issue Feb 19, 2023
Could be triggered by resizing the window to be of tiny width.

m_reflArray is an array of int elements and all loops operate on
"m_real_height - m_height" elements.  So if the loop code is correct,
then we need "(m_real_height - m_height) * sizeof(int)" many bytes
for m_reflArray.

Symptom through the eyes of AddressSanitizer:
> =================================================================
> ==20990==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000cbec at pc 0x7fe65de62216 bp 0x7ffd745ec810 sp 0x7ffd745ec808
> WRITE of size 4 at 0x61400000cbec thread T0
>     #0 0x7fe65de62215 in Corona::genReflectedWaves(double) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311
>     #1 0x7fe65de62262 in Corona::drawReflected() [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:317
>     #2 0x7fe65de6369f in Corona::update(TimedLevel*) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:504
>     #3 0x7fe65de5fe22 in lv_corona_render [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:278
>     #4 0x7fe66286edb4 in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:783
>     #5 0x7fe662874aac in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:867
>     #6 0x55a1ec4d51ee in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:111
>     #7 0x55a1ec4d51ee in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:869
>     #8 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>     #9 0x55a1ec4d2889 in _start ([..]/INSTALL_PREFIX/bin/lv-tool+0x5889)
>
> 0x61400000cbec is located 0 bytes to the right of 428-byte region [0x61400000ca40,0x61400000cbec)
> allocated by thread T0 here:
>     #0 0x7fe662a2ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7fe65de612d2 in Corona::setUpSurface(int, int) [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:109
>     #2 0x7fe65de602ed in lv_corona_dimension [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:198
>     #3 0x7fe65de604a9 in lv_corona_events [..]/libvisual-plugins/plugins/actor/corona/actor_corona.cpp:210
>     #4 0x7fe662875b94 in visual_plugin_events_pump [..]/libvisual/libvisual/lv_plugin.c:241
>     #5 0x7fe66286e6d2 in negotiate_video [..]/libvisual/libvisual/lv_actor.c:613
>     #6 0x7fe66286e6d2 in visual_actor_video_negotiate [..]/libvisual/libvisual/lv_actor.c:538
>     #7 0x7fe6628718c4 in visual_bin_sync [..]/libvisual/libvisual/lv_bin.c:346
>     #8 0x55a1ec4d640f in LV::Bin::sync(bool) [..]/libvisual/tools/lv-tool/lv-tool.cpp:103
>     #9 0x55a1ec4d640f in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:926
>     #10 0x7fe6624a8d09 in __libc_start_main ../csu/libc-start.c:308
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow [..]/libvisual-plugins/plugins/actor/corona/corona.cpp:311 in Corona::genReflectedWaves(double)
> Shadow bytes around the buggy address:
>   0x0c287fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9930: 00 00 00 00 00 00 00 00 00 00 00 00 06 fa fa fa
>   0x0c287fff9940: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c287fff9950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff9960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c287fff9970: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
>   0x0c287fff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==20990==ABORTING

(cherry picked from commit 04ab908)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants