Skip to content

bugfix: Fix global-buffer-overflow in WorldBuilder (MapObjectProps class) #1725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 22, 2025
Merged

bugfix: Fix global-buffer-overflow in WorldBuilder (MapObjectProps class) #1725

merged 4 commits into from
Oct 22, 2025

Conversation

@xezon
Copy link

@xezon xezon commented Oct 21, 2025
edited
Loading

This change fixes global-buffer-overflow's in WorldBuilder, particularly in the MapObjectProps class.

  static char buff[12]; // <--- This buffer is too small for the sprintf below
  sprintf(buff, "%0.2f, %0.2f", m_position.x, m_position.y);

To mitigate, select buffer sizes were increased (sometimes decreased when so ok). Additionally, all sprintf calls in WorldBuilder have been changed to snprintf for additional robustness.

=================================================================
==18428==ERROR: AddressSanitizer: global-buffer-overflow on address 0x02ad376c at pc 0x53b88f20 bp 0x00ace694 sp 0x00ace274
WRITE of size 7 at 0x02ad376c thread T0
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(332)\kernelbase.dll!7528F343: (caller: 7528F00D) ReturnHr(1) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(804)\kernelbase.dll!7528F026: (caller: 75290CF2) ReturnHr(2) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(998)\kernelbase.dll!75290D1F: (caller: 7524E22E) LogHr(1) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(332)\kernelbase.dll!7528F343: (caller: 7528F00D) ReturnHr(3) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(804)\kernelbase.dll!7528F026: (caller: 75290CF2) ReturnHr(4) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(998)\kernelbase.dll!75290D1F: (caller: 7524E22E) LogHr(2) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(332)\kernelbase.dll!7528F343: (caller: 7528F00D) ReturnHr(5) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(804)\kernelbase.dll!7528F026: (caller: 75290CF2) ReturnHr(6) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(998)\kernelbase.dll!75290D1F: (caller: 7524E22E) LogHr(3) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(332)\kernelbase.dll!7528F343: (caller: 7528F00D) ReturnHr(7) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(804)\kernelbase.dll!7528F026: (caller: 75290CF2) ReturnHr(8) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(998)\kernelbase.dll!75290D1F: (caller: 7524E22E) LogHr(4) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(332)\kernelbase.dll!7528F343: (caller: 7528F00D) ReturnHr(9) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(804)\kernelbase.dll!7528F026: (caller: 75290CF2) ReturnHr(10) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
onecore\base\appmodel\processcreation\src\packagedcreateprocess.cpp(998)\kernelbase.dll!75290D1F: (caller: 7524E22E) LogHr(5) tid(2cbc) 8007007B The filename, directory name, or volume label syntax is incorrect.
==18428==WARNING: Failed to use and restart external symbolizer!
    #0 0x53b88f1f in memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors_memintrinsics.inc:121
    #1 0x539c0305 in _p__commode+0x20d95 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x10100305)
    #2 0x539bfb8f in _p__commode+0x2061f (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100ffb8f)
    #3 0x539b7264 in _p__commode+0x17cf4 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100f7264)
    #4 0x539b055d in _p__commode+0x10fed (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100f055d)
    #5 0x539a2695 in _p__commode+0x3125 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100e2695)
    #6 0x539c08e4 in _stdio_common_vsprintf+0x34 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x101008e4)
    #7 0x00b74f37 in _vsnprintf_l C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1392
    #8 0x00b74f79 in _vsprintf_l C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1459
    #9 0x00b74f9e in sprintf C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1776
    #10 0x00c20700 in MapObjectProps::ShowPosition D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:519
    #11 0x00c25f22 in MapObjectProps::updateTheUI D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1671
    #12 0x00c16a94 in MapObjectProps::updateTheUI D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1638
    #13 0x00c25e46 in MapObjectProps::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1620
    #14 0x00b8db11 in SidesListUndoable::Do D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\CUndoable.cpp:736
    #15 0x00cfcfc8 in CWorldBuilderDoc::AddAndDoUndoable D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\WorldBuilderDoc.cpp:953
    #16 0x00c74a2d in ScriptDialog::OnOK D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\ScriptDialog.cpp:1946
    #17 0x549c2262  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10452262)
    #18 0x549c1b81  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10451b81)
    #19 0x54a45813  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x104d5813)
    #20 0x54b807c6  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106107c6)
    #21 0x54b828d8  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106128d8)
    #22 0x54b87e1c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10617e1c)
    #23 0x54b784f9  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106084f9)
    #24 0x54b79544  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10609544)
    #25 0x5489213c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1032213c)
    #26 0x76bd9b22 in Ordinal2713+0x822 (C:\WINDOWS\System32\USER32.dll+0x10039b22)
    #27 0x76bc7c9c in MsgWaitForMultipleObjectsEx+0x7cc (C:\WINDOWS\System32\USER32.dll+0x10027c9c)
    #28 0x76bc8dfb in GetWindowLongW+0x104b (C:\WINDOWS\System32\USER32.dll+0x10028dfb)
    #29 0x76be04f7 in SetWindowsHookExAW+0x2f7 (C:\WINDOWS\System32\USER32.dll+0x100404f7)
    #30 0x76bc7465 in SendMessageW+0x45 (C:\WINDOWS\System32\USER32.dll+0x10027465)
    #31 0x76c00d59 in LoadCursorFromFileW+0x1f29 (C:\WINDOWS\System32\USER32.dll+0x10060d59)
    #32 0x76c00a1a in LoadCursorFromFileW+0x1bea (C:\WINDOWS\System32\USER32.dll+0x10060a1a)
    #33 0x76bffe80 in LoadCursorFromFileW+0x1050 (C:\WINDOWS\System32\USER32.dll+0x1005fe80)
    #34 0x76bff311 in LoadCursorFromFileW+0x4e1 (C:\WINDOWS\System32\USER32.dll+0x1005f311)
    #35 0x76bd9b22 in Ordinal2713+0x822 (C:\WINDOWS\System32\USER32.dll+0x10039b22)
    #36 0x76bc7c9c in MsgWaitForMultipleObjectsEx+0x7cc (C:\WINDOWS\System32\USER32.dll+0x10027c9c)
    #37 0x76bc7129 in DispatchMessageW+0x4a9 (C:\WINDOWS\System32\USER32.dll+0x10027129)
    #38 0x76bcb8f0 in IsDialogMessageW+0x8a0 (C:\WINDOWS\System32\USER32.dll+0x1002b8f0)
    #39 0x76c10c1b in IsDialogMessage+0x13b (C:\WINDOWS\System32\USER32.dll+0x10070c1b)
    #40 0x54bca6c3  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1065a6c3)
    #41 0x54b8518c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1061518c)
    #42 0x54a46228  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x104d6228)
    #43 0x54b87aad  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10617aad)
    #44 0x54b463a5  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d63a5)
    #45 0x54b47999  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7999)
    #46 0x54b466c9  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d66c9)
    #47 0x54b46591  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d6591)
    #48 0x54b47c42  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7c42)
    #49 0x54b47d43  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7d43)
    #50 0x5499c627  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1042c627)
    #51 0x54bc2aeb  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10652aeb)
    #52 0x02047167 in WinMain D:\a\_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\appmodul.cpp:25
    #53 0x020494cc in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:102
    #54 0x020493d9 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #55 0x0204927c in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #56 0x02049537 in WinMainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_winmain.cpp:16
    #57 0x767c5d48 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x10015d48)
    #58 0x776dd6da in RtlInitializeExceptionChain+0x6a (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2ed6da)
    #59 0x776dd660 in RtlGetAppContainerNamedObjectPath+0x230 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2ed660)

0x02ad376c is located 20 bytes before global variable '`MapObjectProps::PopSliderChanged'::`2'::buff' defined in 'mapobjectprops.cpp:620:13' (0x02ad3780) of size 36
0x02ad376c is located 0 bytes after global variable '`MapObjectProps::ShowPosition'::`2'::buff' defined in 'mapobjectprops.cpp:518:14' (0x02ad3760) of size 12
SUMMARY: AddressSanitizer: global-buffer-overflow (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x10100305) in _p__commode+0x20d95
Shadow bytes around the buggy address:
  0x02ad3480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3600: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x02ad3680: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x02ad3700: f9 f9 f9 f9 00 04 f9 f9 00 04 f9 f9 00[04]f9 f9
  0x02ad3780: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x02ad3800: 00 04 f9 f9 00 04 f9 f9 00 04 f9 f9 00 00 00 00
  0x02ad3880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=================================================================
==18428==ERROR: AddressSanitizer: global-buffer-overflow on address 0x02ad376c at pc 0x53b88f20 bp 0x00ace694 sp 0x00ace274
WRITE of size 7 at 0x02ad376c thread T0
==18428==WARNING: Failed to use and restart external symbolizer!
    #0 0x53b88f1f in memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors_memintrinsics.inc:121
    #1 0x539c0305 in _p__commode+0x20d95 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x10100305)
    #2 0x539bfb8f in _p__commode+0x2061f (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100ffb8f)
    #3 0x539b7264 in _p__commode+0x17cf4 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100f7264)
    #4 0x539b055d in _p__commode+0x10fed (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100f055d)
    #5 0x539a2695 in _p__commode+0x3125 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x100e2695)
    #6 0x539c08e4 in _stdio_common_vsprintf+0x34 (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x101008e4)
    #7 0x00b74f37 in _vsnprintf_l C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1392
    #8 0x00b74f79 in _vsprintf_l C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1459
    #9 0x00b74f9e in sprintf C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\ucrt\stdio.h:1776
    #10 0x00c20700 in MapObjectProps::ShowPosition D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:519
    #11 0x00c25f22 in MapObjectProps::updateTheUI D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1671
    #12 0x00c16a94 in MapObjectProps::updateTheUI D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1638
    #13 0x00c25e46 in MapObjectProps::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\mapobjectprops.cpp:1620
    #14 0x00b8db11 in SidesListUndoable::Do D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\CUndoable.cpp:736
    #15 0x00cfcfc8 in CWorldBuilderDoc::AddAndDoUndoable D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\WorldBuilderDoc.cpp:953
    #16 0x00c74a2d in ScriptDialog::OnOK D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Tools\WorldBuilder\src\ScriptDialog.cpp:1946
    #17 0x549c2262  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10452262)
    #18 0x549c1b81  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10451b81)
    #19 0x54a45813  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x104d5813)
    #20 0x54b807c6  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106107c6)
    #21 0x54b828d8  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106128d8)
    #22 0x54b87e1c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10617e1c)
    #23 0x54b784f9  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x106084f9)
    #24 0x54b79544  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10609544)
    #25 0x5489213c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1032213c)
    #26 0x76bd9b22 in Ordinal2713+0x822 (C:\WINDOWS\System32\USER32.dll+0x10039b22)
    #27 0x76bc7c9c in MsgWaitForMultipleObjectsEx+0x7cc (C:\WINDOWS\System32\USER32.dll+0x10027c9c)
    #28 0x76bc8dfb in GetWindowLongW+0x104b (C:\WINDOWS\System32\USER32.dll+0x10028dfb)
    #29 0x76be04f7 in SetWindowsHookExAW+0x2f7 (C:\WINDOWS\System32\USER32.dll+0x100404f7)
    #30 0x76bc7465 in SendMessageW+0x45 (C:\WINDOWS\System32\USER32.dll+0x10027465)
    #31 0x76c00d59 in LoadCursorFromFileW+0x1f29 (C:\WINDOWS\System32\USER32.dll+0x10060d59)
    #32 0x76c00a1a in LoadCursorFromFileW+0x1bea (C:\WINDOWS\System32\USER32.dll+0x10060a1a)
    #33 0x76bffe80 in LoadCursorFromFileW+0x1050 (C:\WINDOWS\System32\USER32.dll+0x1005fe80)
    #34 0x76bff311 in LoadCursorFromFileW+0x4e1 (C:\WINDOWS\System32\USER32.dll+0x1005f311)
    #35 0x76bd9b22 in Ordinal2713+0x822 (C:\WINDOWS\System32\USER32.dll+0x10039b22)
    #36 0x76bc7c9c in MsgWaitForMultipleObjectsEx+0x7cc (C:\WINDOWS\System32\USER32.dll+0x10027c9c)
    #37 0x76bc7129 in DispatchMessageW+0x4a9 (C:\WINDOWS\System32\USER32.dll+0x10027129)
    #38 0x76bcb8f0 in IsDialogMessageW+0x8a0 (C:\WINDOWS\System32\USER32.dll+0x1002b8f0)
    #39 0x76c10c1b in IsDialogMessage+0x13b (C:\WINDOWS\System32\USER32.dll+0x10070c1b)
    #40 0x54bca6c3  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1065a6c3)
    #41 0x54b8518c  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1061518c)
    #42 0x54a46228  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x104d6228)
    #43 0x54b87aad  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10617aad)
    #44 0x54b463a5  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d63a5)
    #45 0x54b47999  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7999)
    #46 0x54b466c9  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d66c9)
    #47 0x54b46591  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d6591)
    #48 0x54b47c42  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7c42)
    #49 0x54b47d43  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x105d7d43)
    #50 0x5499c627  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x1042c627)
    #51 0x54bc2aeb  (C:\WINDOWS\SYSTEM32\mfc140d.dll+0x10652aeb)
    #52 0x02047167 in WinMain D:\a\_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\appmodul.cpp:25
    #53 0x020494cc in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:102
    #54 0x020493d9 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #55 0x0204927c in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #56 0x02049537 in WinMainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_winmain.cpp:16
    #57 0x767c5d48 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x10015d48)
    #58 0x776dd6da in RtlInitializeExceptionChain+0x6a (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2ed6da)
    #59 0x776dd660 in RtlGetAppContainerNamedObjectPath+0x230 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2ed660)

0x02ad376c is located 20 bytes before global variable '`MapObjectProps::PopSliderChanged'::`2'::buff' defined in 'mapobjectprops.cpp:620:13' (0x02ad3780) of size 36
0x02ad376c is located 0 bytes after global variable '`MapObjectProps::ShowPosition'::`2'::buff' defined in 'mapobjectprops.cpp:518:14' (0x02ad3760) of size 12
SUMMARY: AddressSanitizer: global-buffer-overflow (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x10100305) in _p__commode+0x20d95
Shadow bytes around the buggy address:
  0x02ad3480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3600: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x02ad3680: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x02ad3700: f9 f9 f9 f9 00 04 f9 f9 00 04 f9 f9 00[04]f9 f9
  0x02ad3780: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x02ad3800: 00 04 f9 f9 00 04 f9 f9 00 04 f9 f9 00 00 00 00
  0x02ad3880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x02ad3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Address Sanitizer Error: Global buffer overflow

TODO

  • Replicate in Generals

@xezon xezon added Major Severity: Minor < Major < Critical < Blocker WorldBuilder Relates to World Builder Memory Is memory related Stability Concerns stability of the runtime labels Oct 21, 2025
@xezon xezon mentioned this pull request Oct 21, 2025
Open
11 tasks
@xezon xezon force-pushed the xezon/fix-worldbuilder-mapobjects-crash branch from 15d476a to 0455798 Compare October 21, 2025 17:18
Skyaero42
Skyaero42 requested changes Oct 21, 2025
View reviewed changes
Copy link

@Skyaero42 Skyaero42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced all size changes are necessary.

GeneralsMD/Code/Tools/WorldBuilder/src/BuildList.cpp Outdated
// CWorldBuilderDoc* pDoc = CWorldBuilderDoc::GetActiveDoc();
CWnd* edit;
static char buff[12];
static char buff[64];
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

12 enough?

Copy link
Author

@xezon xezon Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I asked Chat and it recommended 44. So I picked 64 for floats.

Chat

Good — this one’s much simpler and we can calculate it exactly.

You said you’re using sprintf with a format of "%.2f", and printing a float value (e.g. 0.2f).

Let’s break it down precisely 👇

🧮 Format "%.2f"

  • %.2f means:

    • Always print 2 digits after the decimal point

    • No exponential notation — just fixed‐point

    • A leading digit before the decimal (even if the number is < 1)

    • A sign (-) if the value is negative

📏 Maximum Possible String Length

For a float, the largest finite value is about 3.4028235e+38.
When formatted with "%.2f", this becomes an enormous number of digits — because %f prints the full decimal expansion, not scientific notation.

That means:

3.4028235e+38 ≈ 340282350000000000000000000000000000000.00

That’s 39 digits before the decimal point, plus:

  • 1 for the decimal point

  • 2 for the fractional digits

  • 1 for possible negative sign

  • 1 for the null terminator

So total = 39 + 1 + 2 + 1 + 1 = 44 bytes

✅ Safe Buffer Size

If you plan to sprintf(buf, "%.2f", someFloat);
you should allocate at least 44 bytes to safely hold any float value.

To be nice and round, use char buf[48]; or char buf[64]; — it costs nothing extra and covers all cases cleanly.

🧠 Example

char buf[48];
float x = 0.2f;
sprintf(buf, "%.2f", x);  // produces "0.20"

In this specific example, "0.20" takes 4 characters, so even char buf[8]; would work —
but to be safe for all float values, you want ~44 bytes minimum.

TL;DR

Case Example Output Needed Size
Typical value (e.g. 0.2f) "0.20" 5 bytes
Maximum float value "340282346638528859811704183484516925440.00" 44 bytes
✅ Safe general size 48 bytes  

Would you like me to show a small C snippet that actually computes the worst-case string length automatically (so you can test it on your compiler)?

Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how likely is it that m_angle or m_height has a value this size?

Copy link
Author

@xezon xezon Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very unlikely. What size do you want for floats then?

Copy link

@Skyaero42 Skyaero42 Oct 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For height and angle, I think 12 is enough. 16 if you want multiples of 2

Copy link
Author

@xezon xezon Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we do 32 for floats, 12 for 4 byte decimals?

And in another change we change the static char to char. There is no need for these buffers to be in data segment.

Copy link

@Skyaero42 Skyaero42 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed

Copy link
Author

@xezon xezon Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Float string buffers decreased from 64 to 32.

GeneralsMD/Code/Tools/WorldBuilder/src/mapobjectprops.cpp Outdated
if (pItem) {
static char buff[12];
sprintf(buff, "%g", stoppingDistance);
static char buff[64];
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one is correct. scientific notation needs at least 14 characters, so 12 is not enough. 64 may be overkill.

Copy link

@Skyaero42 Skyaero42 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

16 should be enough

GeneralsMD/Code/Tools/WorldBuilder/src/MeshMoldOptions.cpp Outdated
{
char buffer[50];
sprintf(buffer, "%.2f", height);
char buffer[64];
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not 12?

GeneralsMD/Code/Tools/WorldBuilder/src/wbview3d.cpp Outdated
if (m_lightFeedbackMesh[lIndex] == NULL)
{ char nameBuf[64];
sprintf(nameBuf,"WB_LIGHT%d",lIndex+1);
snprintf(nameBuf,ARRAY_SIZE(nameBuf),"WB_LIGHT%d",lIndex+1);
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space after comma's

Copy link
Author

@xezon xezon Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I omitted space because it did not have space originally.

Copy link

@Skyaero42 Skyaero42 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe take this opportunity to adjust it? That's what I did with strlcpy.

Copy link
Author

@xezon xezon Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

GeneralsMD/Code/Tools/WorldBuilder/src/mapobjectprops.cpp Outdated
m_position = *pMapObj->getLocation();
static char buff[12];
sprintf(buff, "%0.2f, %0.2f", m_position.x, m_position.y);
static char buff[128];
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

26 should do it

Copy link

@Skyaero42 Skyaero42 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

32 if you want a multiple of 2

GeneralsMD/Code/Tools/WorldBuilder/src/mapobjectprops.cpp Outdated

CWnd* edit;
static char buff[36];
static char buff[64];
Copy link

@Skyaero42 Skyaero42 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

12 should be enough?

Skyaero42
Skyaero42 approved these changes Oct 22, 2025
View reviewed changes
Copy link

@Skyaero42 Skyaero42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@xezon xezon force-pushed the xezon/fix-worldbuilder-mapobjects-crash branch from 33b600e to 284142e Compare October 22, 2025 17:44
@xezon
Copy link
Author

xezon commented Oct 22, 2025

Replicated in Generals with conflicts

D:\Projects\TheSuperHackers\GeneralsGameCode>FOR /F "delims=" %b IN ('git merge-base --fork-point main') DO git diff %b  1>changes.patch

D:\Projects\TheSuperHackers\GeneralsGameCode>git diff 8db49bf7d436c2c767e7b53cc5b536ad9c3e0154  1>changes.patch

D:\Projects\TheSuperHackers\GeneralsGameCode>git apply -p2 --directory=Generals --reject --whitespace=fix changes.patch
Checking patch Generals/Code/Tools/WorldBuilder/include/StdAfx.h...
Checking patch Generals/Code/Tools/WorldBuilder/src/BaseBuildProps.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/BlendMaterial.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/BuildList.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/EditParameter.cpp...
Hunk #1 succeeded at 1332 (offset -36 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/FeatherOptions.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/GroveOptions.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/LayersList.cpp...
Hunk #1 succeeded at 588 (offset -240 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/MeshMoldOptions.cpp...
Hunk #1 succeeded at 142 (offset -6 lines).
Hunk #2 succeeded at 154 (offset -6 lines).
Hunk #3 succeeded at 166 (offset -6 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/MoundOptions.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/SaveMap.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/TeamObjectProperties.cpp...
error: Generals/Code/Tools/WorldBuilder/src/TeamObjectProperties.cpp: No such file or directory
Checking patch Generals/Code/Tools/WorldBuilder/src/TerrainMaterial.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/WHeightMapEdit.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/WaterOptions.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/WorldBuilder.cpp...
Hunk #1 succeeded at 363 (offset -13 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/brushoptions.cpp...
Checking patch Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp...
error: while searching for:
void MapObjectProps::ShowZOffset(MapObject *pMapObj)
{
  const Coord3D *loc = pMapObj->getLocation();
  static char buff[12];
  m_height = loc->z;
  sprintf(buff, "%0.2f", loc->z);
  CWnd* edit = GetDlgItem(IDC_MAPOBJECT_ZOffset);
  edit->SetWindowText(buff);
}

error: patch failed: Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp:472
error: while searching for:
void MapObjectProps::ShowAngle(MapObject *pMapObj)
{
  m_angle = pMapObj->getAngle() * 180 / PI;
  static char buff[12];
  sprintf(buff, "%0.2f", m_angle);
  CWnd* edit = GetDlgItem(IDC_MAPOBJECT_Angle);
  edit->SetWindowText(buff);
  m_angle = atof(buff);

error: patch failed: Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp:504
error: while searching for:
void MapObjectProps::ShowPosition(MapObject *pMapObj)
{
  m_position = *pMapObj->getLocation();
  static char buff[12];
  sprintf(buff, "%0.2f, %0.2f", m_position.x, m_position.y);
  CWnd* edit = GetDlgItem(IDC_MAPOBJECT_XYPosition);
  edit->SetWindowText(buff);
  sscanf(buff, "%f,%f", &m_position.x, &m_position.y);

error: patch failed: Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp:515
error: while searching for:
    return;

        CWnd* edit;
        static char buff[36];
        switch (sliderID) {
                case IDC_HEIGHT_POPUP:
                        if (!m_posUndoable) {

error: patch failed: Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp:617
Hunk #5 succeeded at 1389 (offset 763 lines).
error: while searching for:
                        }
                        m_posUndoable->RotateTo(theVal * PI/180);
                        m_angle = theVal;
                        sprintf(buff, "%0.2f", m_angle);
                        edit = GetDlgItem(IDC_MAPOBJECT_Angle);
                        edit->SetWindowText(buff);
                        break;

                case IDC_SCALE_POPUP:
                        m_scale = theVal/100.0f;
                        sprintf(buff, "%0.2f", m_scale);
                        edit = GetDlgItem(IDC_MAPOBJECT_Scale);
                        edit->SetWindowText(buff);
                        break;

error: patch failed: Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp:638
Hunk #7 succeeded at 422 (offset -463 lines).
Hunk #8 succeeded at 582 (offset -453 lines).
Hunk #9 succeeded at 644 (offset -427 lines).
Hunk #10 succeeded at 691 (offset -433 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/playerlistdlg.cpp...
Hunk #1 succeeded at 567 (offset -1 lines).
Checking patch Generals/Code/Tools/WorldBuilder/src/wbview3d.cpp...
Hunk #1 succeeded at 2433 (offset -146 lines).
Applied patch Generals/Code/Tools/WorldBuilder/include/StdAfx.h cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/BaseBuildProps.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/BlendMaterial.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/BuildList.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/EditParameter.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/FeatherOptions.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/GroveOptions.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/LayersList.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/MeshMoldOptions.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/MoundOptions.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/SaveMap.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/TerrainMaterial.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/WHeightMapEdit.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/WaterOptions.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/WorldBuilder.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/brushoptions.cpp cleanly.
Applying patch Generals/Code/Tools/WorldBuilder/src/mapobjectprops.cpp with 5 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Rejected hunk #4.
Hunk #5 applied cleanly.
Rejected hunk #6.
Hunk #7 applied cleanly.
Hunk #8 applied cleanly.
Hunk #9 applied cleanly.
Hunk #10 applied cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/playerlistdlg.cpp cleanly.
Applied patch Generals/Code/Tools/WorldBuilder/src/wbview3d.cpp cleanly.

@xezon xezon added the Approved Pull Request was approved label Oct 22, 2025
@xezon xezon merged commit 228ebdd into TheSuperHackers:main Oct 22, 2025
18 checks passed
@xezon xezon deleted the xezon/fix-worldbuilder-mapobjects-crash branch October 22, 2025 18:38
fbraz3 pushed a commit to fbraz3/GeneralsX that referenced this pull request Nov 10, 2025
@xezon
bugfix: Fix global-buffer-overflow in WorldBuilder (MapObjectProps cl…
7eeb922 
…ass) (TheSuperHackers#1725)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skyaero42 Skyaero42 Skyaero42 approved these changes

Assignees

No one assigned

Labels

Approved Pull Request was approved Major Severity: Minor < Major < Critical < Blocker Memory Is memory related Stability Concerns stability of the runtime WorldBuilder Relates to World Builder

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xezon @Skyaero42