[COP] - random segfault while looting a corpse related to reading the UI XML scripts

[BielBdeLuna]

Describe the bug
I got a random segfault while looting a corpse, though it has happened to me only once.

First I thought it was about the pushing motion applied to the corpse that happen when looting corpses ( so an error related to ODE ) but it seems to be an error reading the XML files of the UI.

The Corpse was already searched and emptied in the past.

To Reproduce
can't reproduce. The Corpse can be searched and attempted to be looted after a restarting of the engine and a load of a savegame.

Screenshots
none

BugTrap error report

Thread 1 "Primary thread" received signal SIGSEGV, Segmentation fault.
0x00007ffff7cf0b8f in IReader::r_string(char*, unsigned long) () from /lib/x86_64-linux-gnu/xrCore.so
(gdb) bt
#0  0x00007ffff7cf0b8f in IReader::r_string(char*, unsigned long) () from /lib/x86_64-linux-gnu/xrCore.so
#1  0x00007ffff7d36384 in ParseFile(char const*, CMemoryWriter&, IReader*, XMLDocument*) () from /lib/x86_64-linux-gnu/xrCore.so
#2  0x00007ffff7d364af in ParseFile(char const*, CMemoryWriter&, IReader*, XMLDocument*) () from /lib/x86_64-linux-gnu/xrCore.so
#3  0x00007ffff7d36be4 in XMLDocument::Load(char const*, char const*, bool) () from /lib/x86_64-linux-gnu/xrCore.so
#4  0x00007ffff7d37802 in XMLDocument::Load(char const*, char const*, char const*, char const*, bool) () from /lib/x86_64-linux-gnu/xrCore.so
#5  0x00007fffe0c3dad4 in CUICellItem::init() () from /lib/x86_64-linux-gnu/xrGame.so
#6  0x00007fffe0c3ddd1 in CUICellItem::CUICellItem() () from /lib/x86_64-linux-gnu/xrGame.so
#7  0x00007fffe0c3ac16 in CUIAmmoCellItem::CUIAmmoCellItem(CWeaponAmmo*) () from /lib/x86_64-linux-gnu/xrGame.so
#8  0x00007fffe0c3f0d1 in create_cell_item(CInventoryItem*) () from /lib/x86_64-linux-gnu/xrGame.so
#9  0x00007fffe0c2d83c in CUIActorMenu::InitInventoryContents(CUIDragDropListEx*, bool) () from /lib/x86_64-linux-gnu/xrGame.so
#10 0x00007fffe0c25bc0 in CUIActorMenu::InitDeadBodySearchMode() () from /lib/x86_64-linux-gnu/xrGame.so
#11 0x00007fffe0c249ad in CUIActorMenu::SetMenuMode(EMenuMode) () from /lib/x86_64-linux-gnu/xrGame.so
#12 0x00007fffe0923427 in CUIGameSP::StartCarBody(CInventoryOwner*, CInventoryOwner*) () from /lib/x86_64-linux-gnu/xrGame.so
#13 0x00007fffe01f7718 in CActor::ActorUse() () from /lib/x86_64-linux-gnu/xrGame.so
#14 0x00007fffe056199a in CLevel::IR_OnKeyboardPress(int) () from /lib/x86_64-linux-gnu/xrGame.so
#15 0x00007ffff7f50ad6 in CInput::KeyUpdate() () from /lib/x86_64-linux-gnu/xrEngine.so
#16 0x00007ffff7f510e8 in CInput::OnFrame() () from /lib/x86_64-linux-gnu/xrEngine.so
#17 0x00007ffff7f029cb in CRenderDevice::FrameMove() () from /lib/x86_64-linux-gnu/xrEngine.so
#18 0x00007ffff7f031c7 in CRenderDevice::ProcessFrame() () from /lib/x86_64-linux-gnu/xrEngine.so
#19 0x00007ffff7f03c4b in CRenderDevice::message_loop() [clone .part.0] () from /lib/x86_64-linux-gnu/xrEngine.so
#20 0x00007ffff7f03f27 in CRenderDevice::Run() () from /lib/x86_64-linux-gnu/xrEngine.so
#21 0x00007ffff7f380b0 in Startup() () from /lib/x86_64-linux-gnu/xrEngine.so
#22 0x00007ffff7f38c2b in RunApplication() () from /lib/x86_64-linux-gnu/xrEngine.so
#23 0x0000555555555885 in entry_point(char const*) ()
#24 0x00005555555555bf in main ()
(gdb) quit

Desktop (please complete the following information):

• OS: [Ubuntu 21.10]
• OpenXRay build version [df92f23]

Additional context
no mods used

[BielBdeLuna]

caution, this happened in Call of Pripyat not in Clear Sky

[BielBdeLuna]

the same error happened again while speaking to the trader in Zaton:

Click here to expand/collapse.

(...)

Thread 1 "Primary thread" received signal SIGSEGV, Segmentation fault.
0x00007ffff7cf0c6f in IReader::r_string(char*, unsigned long) () from /lib/x86_64-linux-gnu/xrCore.so
(gdb) bt
#0 0x00007ffff7cf0c6f in IReader::r_string(char*, unsigned long) () from /lib/x86_64-linux-gnu/xrCore.so
#1 0x00007ffff7d36684 in ParseFile(char const*, CMemoryWriter&, IReader*, XMLDocument*) () from /lib/x86_64-linux-gnu/xrCore.so
#2 0x00007ffff7d367af in ParseFile(char const*, CMemoryWriter&, IReader*, XMLDocument*) () from /lib/x86_64-linux-gnu/xrCore.so
#3 0x00007ffff7d36ee4 in XMLDocument::Load(char const*, char const*, bool) () from /lib/x86_64-linux-gnu/xrCore.so
#4 0x00007ffff7d37b02 in XMLDocument::Load(char const*, char const*, char const*, char const*, bool) () from /lib/x86_64-linux-gnu/xrCore.so
#5 0x00007fffe0c3cb54 in CUICellItem::init() () from /lib/x86_64-linux-gnu/xrGame.so
#6 0x00007fffe0c3ce51 in CUICellItem::CUICellItem() () from /lib/x86_64-linux-gnu/xrGame.so
#7 0x00007fffe0c39ad6 in CUIInventoryCellItem::CUIInventoryCellItem(CInventoryItem*) () from /lib/x86_64-linux-gnu/xrGame.so
#8 0x00007fffe0c3e1b7 in create_cell_item(CInventoryItem*) () from /lib/x86_64-linux-gnu/xrGame.so
#9 0x00007fffe0c30794 in CUIActorMenu::InitPartnerInventoryContents() () from /lib/x86_64-linux-gnu/xrGame.so
#10 0x00007fffe0c30b64 in CUIActorMenu::InitTradeMode() () from /lib/x86_64-linux-gnu/xrGame.so
#11 0x00007fffe0c23a7d in CUIActorMenu::SetMenuMode(EMenuMode) () from /lib/x86_64-linux-gnu/xrGame.so
#12 0x00007fffe09222ec in CUIGameSP::StartTrade(CInventoryOwner*, CInventoryOwner*) () from /lib/x86_64-linux-gnu/xrGame.so
#13 0x00007fffe0cd3791 in CUITalkWnd::SendMessage(CUIWindow*, short, void*) () from /lib/x86_64-linux-gnu/xrGame.so
#14 0x00007fffdf561e8d in CUI3tButton::OnClick() () from /lib/x86_64-linux-gnu/xrUICore.so
#15 0x00007fffdf56306f in CUIButton::OnMouseAction(float, float, EUIMessages) () from /lib/x86_64-linux-gnu/xrUICore.so
#16 0x00007fffdf5f02a3 in CUIWindow::OnMouseAction(float, float, EUIMessages) () from /lib/x86_64-linux-gnu/xrUICore.so
#17 0x00007fffdf5f02a3 in CUIWindow::OnMouseAction(float, float, EUIMessages) () from /lib/x86_64-linux-gnu/xrUICore.so
#18 0x00007fffe090331c in CDialogHolder::IR_UIOnKeyboardRelease(int) () from /lib/x86_64-linux-gnu/xrGame.so
#19 0x00007fffe056188e in CLevel::IR_OnKeyboardRelease(int) () from /lib/x86_64-linux-gnu/xrGame.so
#20 0x00007ffff7f4de66 in CInput::MouseUpdate() () from /lib/x86_64-linux-gnu/xrEngine.so
#21 0x00007ffff7f50fd0 in CInput::OnFrame() () from /lib/x86_64-linux-gnu/xrEngine.so
#22 0x00007ffff7f029cb in CRenderDevice::FrameMove() () from /lib/x86_64-linux-gnu/xrEngine.so
#23 0x00007ffff7f031c7 in CRenderDevice::ProcessFrame() () from /lib/x86_64-linux-gnu/xrEngine.so
#24 0x00007ffff7f03c4b in CRenderDevice::message_loop() [clone .part.0] () from /lib/x86_64-linux-gnu/xrEngine.so
#25 0x00007ffff7f03f27 in CRenderDevice::Run() () from /lib/x86_64-linux-gnu/xrEngine.so
#26 0x00007ffff7f37f90 in Startup() () from /lib/x86_64-linux-gnu/xrEngine.so
#27 0x00007ffff7f38b0b in RunApplication() () from /lib/x86_64-linux-gnu/xrEngine.so
#28 0x0000555555555885 in entry_point(char const*) ()
#29 0x00005555555555bf in main ()
(gdb) continue
Continuing.

FATAL ERROR

[error] Expression :
[error] Function : handler_base
[error] File : /home/biel/code/xray-16/src/xrCore/xrDebug.cpp
[error] Line : 853
[error] Description : segmentation fault

stack trace:

xrDebug::GatherInfo(char*, unsigned long, ErrorLocation const&, char const*, char const*, char const*, char const*)
xrDebug::Fail(bool&, ErrorLocation const&, char const*, char const*, char const*, char const*)
/lib/x86_64-linux-gnu/xrCore.so(+0x4271b) [0x7ffff7d0871b]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7ffff7718520]
IReader::r_string(char*, unsigned long)
/lib/x86_64-linux-gnu/xrCore.so(+0x70684) [0x7ffff7d36684]
/lib/x86_64-linux-gnu/xrCore.so(+0x707af) [0x7ffff7d367af]
XMLDocument::Load(char const*, char const*, bool)
XMLDocument::Load(char const*, char const*, char const*, char const*, bool)
/lib/x86_64-linux-gnu/xrGame.so(+0x1575b54) [0x7fffe0c3cb54]
/lib/x86_64-linux-gnu/xrGame.so(+0x1575e51) [0x7fffe0c3ce51]
/lib/x86_64-linux-gnu/xrGame.so(+0x1572ad6) [0x7fffe0c39ad6]
/lib/x86_64-linux-gnu/xrGame.so(+0x15771b7) [0x7fffe0c3e1b7]
/lib/x86_64-linux-gnu/xrGame.so(+0x1569794) [0x7fffe0c30794]
/lib/x86_64-linux-gnu/xrGame.so(+0x1569b64) [0x7fffe0c30b64]
/lib/x86_64-linux-gnu/xrGame.so(+0x155ca7d) [0x7fffe0c23a7d]
/lib/x86_64-linux-gnu/xrGame.so(+0x125b2ec) [0x7fffe09222ec]
/lib/x86_64-linux-gnu/xrGame.so(+0x160c791) [0x7fffe0cd3791]
CUI3tButton::OnClick()
CUIButton::OnMouseAction(float, float, EUIMessages)

Thread 1 "Primary thread" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff7d0814d in xrDebug::Fail(bool&, ErrorLocation const&, char const*, char const*, char const*, char const*) () from /lib/x86_64-linux-gnu/xrCore.so
(gdb) quit
A debugging session is active.

Inferior 1 [process 28302] will be killed.

Quit anyway? (y or n) y

[jjdredd]

Change the CS tag maybe?

[sobkas]

Even if it's hard to reproduce could you provide savefile?

[AMS21]

So this issue inspired me to write a fuzzer for XMLDocument::Load the result of this campaign were #1512 and #1515.
But I never found a segfault in IReader::r_string with the few billion inputs I tested.
So the issue might be a bit more complex than "just" parsing XML files.

Also fuzzing can only ever show you that there are inputs that crash and never the that it won't crash.