-
Notifications
You must be signed in to change notification settings - Fork 0
Memory clobbering (dereferenced pointers) in event.c #2300
Comments
buginator <buginator@...> commented (In Warzone2100/warzone2100@1a6fb8a) Fix another memory clobbering issue. (dereferenced pointer) Patch Author: Safety0ff Original detective work done by Ai_Tak (#1656) Signed-off-by: buginator <buginator@> |
Buginator changed _comment0 which not transferred by tractive |
buginator <buginator@...> changed status from |
buginator <buginator@...> changed resolution from `` to |
Buginator uploaded file |
Buginator uploaded file |
Buginator uploaded file |
Buginator uploaded file |
Buginator uploaded file |
Buginator changed _comment0 which not transferred by tractive |
buginator <buginator@...> commented In Warzone2100/warzone2100@1a6fb8a:
|
Buginator commented The deal is, when you run normal valgrind, then you get val_no_fe.txt. When you set valgrind to fill the free()ed memory with 0xfe, (--fill-free=0xfe then you get val_with_fe.txt, and also the crash dump. The final results are in val_wPatch_sa_fe.txt, and we don't have invalid reads anymore. |
cybersphinx <chr.ohm@...> commented (In Warzone2100/warzone2100@34112c9) Fix another memory clobbering issue. (dereferenced pointer) Patch Author: Safety0ff Original detective work done by Ai_Tak (#1656) Signed-off-by: buginator buginator@gna.org |
cybersphinx <chr.ohm@...> commented In Warzone2100/warzone2100@34112c9:
|
Safety0ff commented I don't really consider this "fixed", I've been looking at that part of the code lately and understanding it more and more. This type of error likely only occurs when a Callback event uses the setTrigger function, but there could potentialy be other ways for setTrigger calls to mess things up. Anyways, I'm sure that deferred deletion would solve this and it will also handle the case where multiple events are triggered and one calls setTrigger for one of those other events. I'd rather this not be "swept under the rug". |
buginator <buginator@...> commented (In Warzone2100/warzone2100@f8517a7) Fix another memory clobbering issue. (dereferenced pointer) Patch Author: Safety0ff Original detective work done by Ai_Tak (#1656) Signed-off-by: buginator buginator@gna.org |
buginator <buginator@...> commented In Warzone2100/warzone2100@f8517a7:
|
Safety0ff uploaded file |
Safety0ff changed status from |
Safety0ff changed _comment0 which not transferred by tractive |
Safety0ff changed _comment1 which not transferred by tractive |
Safety0ff commented In the new patch, I have reverted 1a6fb8a7547f23ce2bd7af153ac839cba999e2b0 by hand and added a field to mark trigger deletion, this is a much more robust solution imho. I also changed a function to use pointers to pointers to remove code duplication. This patch will likely apply to the other branches as well. I ran it with valgrind and there were no warnings. I believe it should be possible to construct a script that causes invalid pointer dereferences under the old patch (hence the re-open). |
Safety0ff changed resolution from |
cybersphinx uploaded file Rebased on a tree with 1a6fb8a7547f23ce2bd7af153ac839cba999e2b0 already reverted. |
Safety0ff uploaded file |
cybersphinx uploaded file Patch without the revert. |
Safety0ff uploaded file Fixed a bug (notice the lack of fixme) |
Safety0ff uploaded file Same as above without revert |
safety0ff changed status from |
safety0ff changed resolution from `` to |
safety0ff commented Fix an invalid pointer dereferencing issue in the script events system. Closes #2300. |
safety0ff commented 2.3: Fix an invalid pointer dereferencing issue in the script events system. Closes #2300. |
safety0ff commented 3.0: Fix an invalid pointer dereferencing issue in the script events system. Closes #2300. |
buginator commented Fix another memory clobbering issue. (dereferenced pointer) Patch Author: Safety0ff Original detective work done by Ai_Tak (#1656) Signed-off-by: buginator buginator@gna.org |
safety0ff commented Fix an invalid pointer dereferencing issue in the script events system. Closes #2300. |
cybersphinx changed milestone from |
cybersphinx commented Milestone 3.0 deleted |
resolution_fixed
type_bug
| by Buginatordereferenced pointers in event.c.
More to follow in a bit.
Issue migrated from trac:2300 at 2022-04-16 06:45:49 -0700
The text was updated successfully, but these errors were encountered: