Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow (read) while loading map in CMapImages::LoadMapImages, mapimages.cpp:51 #2976

Open
mmmds opened this issue Oct 23, 2021 · 0 comments · May be fixed by #2931
Open

Heap buffer overflow (read) while loading map in CMapImages::LoadMapImages, mapimages.cpp:51 #2976

mmmds opened this issue Oct 23, 2021 · 0 comments · May be fixed by #2931

Comments

@mmmds
Copy link

mmmds commented Oct 23, 2021

The client crashes (only with ASAN) when an invalid map (9.map.zip) is loaded. Such a map can be delivered to the client by a malicious server.

Tested on Ubuntu 20.04 x86_64, Teeworlds version: f35da54b6f2c5f9fd4bbd4559f887ccf8f8cc526

Compilation with ASAN:

export CXXFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer"
export CFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer"
cmake ..
make

Run and connect to a server that delivers an invalid map:

./teeworlds "connect 127.0.0.1" "gfx_fullscreen 0" "gfx_screen_height 240" "gfx_screen_width 360"
[...]
=================================================================
==33582==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f0000dc28c at pc 0x5555556f4f08 bp 0x7ffffffd8cc0 sp 0x7ffffffd8cb0
READ of size 4 at 0x61f0000dc28c thread T0
    #0 0x5555556f4f07 in CMapImages::LoadMapImages(IMap*, CLayers*, int) /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/mapimages.cpp:51
    #1 0x555555839981 in CGameClient::OnConnected() /home/osboxes/teeworlds/teeworlds-asan/src/game/client/gameclient.cpp:459
    #2 0x5555555f6755 in CClient::ProcessServerPacket(CNetChunk*) /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1283
    #3 0x5555555f91ce in CClient::PumpNetwork() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1596
    #4 0x5555555f9596 in CClient::Update() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1766
    #5 0x5555555fc1f0 in CClient::Run() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2108
    #6 0x5555555d24e5 in main /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2704
    #7 0x7ffff68e10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #8 0x5555555dc48d in _start (/home/osboxes/teeworlds/teeworlds-asan/build/teeworlds+0x8848d)

Address 0x61f0000dc28c is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/mapimages.cpp:51 in CMapImages::LoadMapImages(IMap*, CLayers*, int)
Shadow bytes around the buggy address:
  0x0c3e80013800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3e80013850: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e80013890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e800138a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==33582==ABORTING

Doesn't crash without ASAN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants