For lightning effect we using ps_rand() function which expects number in range [0, 0x7fff], but RAND_MAX is 0x7fffffff (INT_MAX, for 64-bit systems). In result lightnings strikes on every allowed frame and leads to epilepsy.
Possibly fixes#530.
physics/findintersection.cpp:4711:64: runtime error: index -1 out of bounds for type 'fvi_face_room_list [200]'
=================================================================
SIGNAL 11 caught, aborting
$GIT/Descent3/multi_external.h:286:31: runtime error: store to misaligned address 0x7f3f760a3041 for type 'int16_t', which requires 2 byte alignment
$GIT/Descent3/multi_external.h:291:32: runtime error: store to misaligned address 0x7f3f760a3043 for type 'uint16_t', which requires 2 byte alignment
$GIT/Descent3/room.cpp:629:28: runtime error: member access within misaligned address 0x7fde8b011d6e for type 'struct roomUVL', which requires 4 byte alignment
$GIT/Descent3/LoadLevel.cpp:1978:24: runtime error: member access within misaligned address 0x7fde8b011d6e for type 'struct roomUVL', which requires 4 byte alignment
$GIT/Descent3/room.cpp:608:13: runtime error: member access within misaligned address 0x7fde8b0243d4 for type 'struct face', which requires 8 byte alignment
$GIT/vecmat/vector.cpp:180:18: runtime error: member access within misaligned address 0x7fde8b03dfda for type 'const struct vector', which requires 4 byte alignment
$GIT/Descent3/BOA.cpp:1213:27: runtime error: member access within misaligned address 0x7fde8b0243d4 for type 'struct face', which requires 8 byte alignment
RoomMemAlloc failed to aligned returned pointers to the type they are
being used for.
Things seem fine on level 1 and 2, but saving on level 4:
$GIT/Descent3/matcen.cpp:813:36: runtime error: index -1 out of bounds for type 'sound_info [1000]'
=================================================================
==38205==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000480e974 at pc 0x7f396b280c66 bp 0x7ffc328e1f90 sp 0x7ffc328e1750
READ of size 1 at 0x00000480e974 thread T0
f1 matcen::SaveData(CFILE*) $GIT/Descent3/matcen.cpp:813
f2 SGSMatcens(CFILE*) $GIT/Descent3/gamesave.cpp:1320
f3 SaveGameState(char const*, char const*) $GIT/Descent3/gamesave.cpp:803
f4 SaveGameDialog() $GIT/Descent3/gamesave.cpp:494
f5 RunGameMenu() $GIT/Descent3/gamesequence.cpp:2161
f6 GameSequencer() $GIT/Descent3/gamesequence.cpp:1218
f7 PlayGame() $GIT/Descent3/game.cpp:834
f8 MainLoop() $GIT/Descent3/descent.cpp:555
f9 Descent3() $GIT/Descent3/descent.cpp:508
f10 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
Giving off a shot in level 1 triggers an ASAN OOB notice without stacktrace/abort.
Descent3/scorch.cpp:200:53: runtime error: index -1 out of bounds for type 'scorch [500]'
for (i = Scorch_start, sp = &Scorches[Scorch_start];;) {
^
At the beginning of a level, Scorch_start is still -1. Computing
``&Scorches[Scorch_start]``, i.e. ``&Scorches[-1]``, is legal but
conceptually wrong. ``sp`` is then dereferenced inside the loop body
ahead of checking for the terminating condition.
Add a guarding termination condition in the loop head so that we
never even start the loop if Scorch_start<0. Never compute ``sp`` if
the loop is not entered.
Starting level 4 triggers an OOB access.
$GIT/Descent3/AIGoal.cpp:793:55: runtime error: index -1 out of bounds for type 'ai_dynamic_path [50]'
$GIT/Descent3/AIGoal.cpp:793:116: runtime error: index -1 out of bounds for type 'short unsigned int [5]'
=================================================================
==29374==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003b1f8f8 at pc 0x00000147b488 bp 0x7fff6cf12a60 sp 0x7fff6cf12a58
READ of size 4 at 0x000003b1f8f8 thread T0
f0 vm_SubVectors(vector*, vector const*, vector const*) $GIT/vecmat/vector.cpp:180
f1 vm_VectorDistance(vector const*, vector const*) $GIT/vecmat/vector.cpp:191
f2 GoalDoFrame(object*) $GIT/Descent3/AIGoal.cpp:792
f3 AIDoFrame(object*) $GIT/Descent3/AImain.cpp:6212
f4 ObjDoFrame(object*) $GIT/Descent3/object.cpp:2674
f5 ObjDoFrameAll() $GIT/Descent3/object.cpp:2988
f6 GameFrame() $GIT/Descent3/GameLoop.cpp:2980
f7 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f8 PlayGame() $GIT/Descent3/game.cpp:834
f9 MainLoop() $GIT/Descent3/descent.cpp:555
f10 Descent3() $GIT/Descent3/descent.cpp:508
f11 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x000003b1f8f8 is located 8 bytes after global variable 'AI_RenderedList' defined in '$GIT/Descent3/AImain.cpp:1628:5' (0x3b1e180) of size 6000
0x000003b1f8f8 is located 40 bytes before global variable 'AI_NumHostileAlert' defined in '$GIT/Descent3/AImain.cpp:1630:5' (0x3b1f920) of size 4
Giving off a laser shot in level 1 causes a double OOB.
$GIT/Descent3/AIGoal.cpp:756:57: runtime error: index -1 out of bounds for type 'ai_dynamic_path [50]'
$GIT/Descent3/AIGoal.cpp:756:118: runtime error: index -1 out of bounds for type 'short unsigned int [5]'
=================================================================
==58320==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003b1f7f8 at pc 0x00000147b414 bp 0x7ffe6fdab4f0 sp 0x7ffe6fdab4e8
READ of size 4 at 0x000003b1f7f8 thread T0
f0 vm_SubVectors(vector*, vector const*, vector const*) $GIT/vecmat/vector.cpp:180
f1 vm_VectorDistance(vector const*, vector const*) $GIT/vecmat/vector.cpp:191
f2 GoalDoFrame(object*) $GIT/Descent3/AIGoal.cpp:755
float dist = vm_VectorDistance(
&AIDynamicPath[ai_info->path.num_paths - 1].pos[ai_info->path.path_end_node[ai_info->path.num_paths - 1]],
^ ^
posp);
f3 AIDoFrame(object*) $GIT/Descent3/AImain.cpp:6212
f4 ObjDoFrame(object*) $GIT/Descent3/object.cpp:2674
f5 ObjDoFrameAll() $GIT/Descent3/object.cpp:2988
f6 GameFrame() $GIT/Descent3/GameLoop.cpp:2980
f7 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f8 PlayGame() $GIT/Descent3/game.cpp:834
f9 MainLoop() $GIT/Descent3/descent.cpp:555
f10 Descent3() $GIT/Descent3/descent.cpp:508
f11 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
f12 main $GIT/Descent3/sdlmain.cpp:334
0x000003b1f7f8 is located 8 bytes after global variable 'AI_RenderedList' defined in '$GIT/Descent3/AImain.cpp:1628:5' (0x3b1e080) of size 6000
0x000003b1f7f8 is located 40 bytes before global variable 'AI_NumHostileAlert' defined in '$GIT/Descent3/AImain.cpp:1630:5' (0x3b1f820) of size 4
Collecting the mine pickup, or just outright using the inventory
cheat code, triggers OOB:
id=92 Chaff
..icon_handle=493
....bm_handle=513
id=94 betty
..icon_handle=493
....bm_handle=513
id=95 SeekerMine
..icon_handle=-1
$GIT/Descent3/Inventory.cpp:585:17: runtime error: index -1 out of bounds for type 'texture [3100]'
==6498==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003bcf918 at pc 0x000000844eac bp 0x7ffc0823f310 sp 0x7ffc0823f308
READ of size 4 at 0x000003bcf918 thread T0
f0 Inventory::AddCounterMeasure(int, int, int, int, char const*) $GIT/Descent3/Inventory.cpp:585
(char *)mem_malloc(strlen(GameBitmaps[GameTextures[Weapons[id].icon_handle].bm_handle].name) + 1);
^
f1 Inventory::Add(int, int, object*, int, int, int, char const*) $GIT/Descent3/Inventory.cpp:521
f2 DemoCheats(int) $GIT/Descent3/GameCheat.cpp:608
f3 ProcessKeys() $GIT/Descent3/GameLoop.cpp:2418
f4 GameFrame() $GIT/Descent3/GameLoop.cpp:2963
f5 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f6 PlayGame() $GIT/Descent3/game.cpp:834
f7 MainLoop() $GIT/Descent3/descent.cpp:555
f8 Descent3() $GIT/Descent3/descent.cpp:508
f9 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x000003bcf918 is located 48 bytes after global variable 'm_start_tstamp' defined in '$GIT/ddio/chrono_timer.h:25:59' (0x3bcf8e0) of size 8
0x000003bcf918 is located 8 bytes before global variable 'Num_textures' defined in '$GIT/Descent3/gametexture.cpp:286:5' (0x3bcf920) of size 4
Array index j underflows.
==50803==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003edbeb8 at pc 0x000000d02e13 bp 0x7ffdda72ec10 sp 0x7ffdda72ec08
READ of size 4 at 0x000003edbeb8 thread T0
f0 SortPostrenders() $GIT/Descent3/postrender.cpp:142
f1 PostRender(int) $GIT/Descent3/postrender.cpp:241
f2 GameRenderWorld(object*, vector*, int, matrix*, float, bool) $GIT/Descent3/GameLoop.cpp:2475
f3 GameDrawMainView() $GIT/Descent3/GameLoop.cpp:2503
f4 GameRenderFrame() $GIT/Descent3/GameLoop.cpp:2600
f5 GameFrame() $GIT/Descent3/GameLoop.cpp:3055
f6 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f7 PlayGame() $GIT/Descent3/game.cpp:834
f8 MainLoop() $GIT/Descent3/descent.cpp:555
f9 Descent3() $GIT/Descent3/descent.cpp:508
f10 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x000003edbeb8 is located 40 bytes before global variable 'Postrender_list' defined in '$GIT/Descent3/postrender.cpp:90:19' (0x3edbee0) of size 36000
0x000003edbeb8 is located 52 bytes after global variable 'Num_waypoints' defined in '$GIT/Descent3/Player.cpp:3787:5' (0x3edbe80) of size 4
When ENTER is pressed too quickly in the menu system, an OOB happens.
(Press ENTER to activate "New Game". It looks like the mission list
is not populated (yet), therefore m_SelectedIndex is -1. If the
keypress event arrives before the list is filled, OOB occurs.)
==67061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50700003f40c at pc 0x000000b5a400 bp 0x7ffd2bd478c0 sp 0x7ffd2bd478b8
READ of size 4 at 0x50700003f40c thread T0
f0 newuiListBox::OnKeyDown(int) $GIT/Descent3/newui_core.cpp:3230
f1 UIGadget::Process(bool, bool, bool) $GIT/ui/UIGadget.cpp:236
f2 UIWindow::Process() $GIT/ui/UIWindow.cpp:409
f3 ui_ProcessFocusedWindow() $GIT/ui/UISystem.cpp:439
f4 ui_DoFrame(bool) $GIT/ui/UISystem.cpp:503
f5 DoUIFrame() $GIT/Descent3/newui_core.cpp:633
f6 newuiTiledWindow::DoUI() $GIT/Descent3/newui_core.cpp:4148
f7 MenuNewGame() $GIT/Descent3/menu.cpp:1232
f8 MainMenu() $GIT/Descent3/menu.cpp:830
f9 MainLoop() $GIT/Descent3/descent.cpp:546
f10 Descent3() $GIT/Descent3/descent.cpp:508
f11 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x50700003f40c is located 4 bytes before 80-byte region [0x50700003f410,0x50700003f460)
allocated by thread T0 here:
f0 malloc (/lib64/libasan.so.8)
f1 newuiListBox::AddItem(char const*) $GIT/Descent3/newui_core.cpp:2726
f2 operator() $GIT/Descent3/menu.cpp:1101
f3 __invoke_impl<void, generate_mission_listbox(newuiListBox*, int, char**, const std::filesystem::__cxx11::path&)::<lambda(const std::filesystem::__cxx11::path&)>&, std::filesystem::__cxx11::path> /usr/include/c++/14/bits/invoke.h:61
f4 __invoke_r<void, generate_mission_listbox(newuiListBox*, int, char**, const std::filesystem::__cxx11::path&)::<lambda(const std::filesystem::__cxx11::path&)>&, std::filesystem::__cxx11::path> /usr/include/c++/14/bits/invoke.h:111
f5 _M_invoke /usr/include/c++/14/bits/std_function.h:290
f6 std::function<void (std::filesystem::__cxx11::path)>::operator()(std::filesystem::__cxx11::path) const /usr/include/c++/14/bits/std_function.h:591
f7 ddio_DoForeachFile(std::filesystem::__cxx11::path const&, std::__cxx11::basic_regex<char, std::__cxx11::regex_traits<char> > const&, std::function<void (std::filesystem::__cxx11::path)> const&) $GIT/ddio/file.cpp:154
f8 generate_mission_listbox $GIT/Descent3/menu.cpp:1093
f9 MenuNewGame() $GIT/Descent3/menu.cpp:1198
f10 MainMenu() $GIT/Descent3/menu.cpp:830
f11 MainLoop() $GIT/Descent3/descent.cpp:546
f12 Descent3() $GIT/Descent3/descent.cpp:508
f13 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
As level 1's in-engine cutscene runs, an OOB happens after about 3s.
x=0 object[x].type=4
x=1 object[x].type=18
x=2 object[x].type=255
$GIT/physics/findintersection.cpp:2196:80: runtime error: index 255 out of bounds for type 'unsigned char [26]'
$GIT/physics/findintersection.cpp:2196:80: runtime error: load of address 0x00000475a97f with insufficient space for an object of type 'uint8_t'
==28871==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000475a97f at pc 0x000001242275 bp 0x7fffc1ced720 sp 0x7fffc1ced718
READ of size 1 at 0x00000475a97f thread T0
f0 fvi_QuickDistObjectList(vector*, int, float, short*, int, bool, bool, bool, bool) $GIT/physics/findintersection.cpp:2196
f1 AIDoMemFrame $GIT/Descent3/AImain.cpp:6066
f2 AIDoFrame(object*) $GIT/Descent3/AImain.cpp:6187
f3 ObjDoFrame(object*) $GIT/Descent3/object.cpp:2674
f4 ObjDoFrameAll() $GIT/Descent3/object.cpp:2988
f5 GameFrame() $GIT/Descent3/GameLoop.cpp:2980
f6 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f7 PlayGame() $GIT/Descent3/game.cpp:834
f8 MainLoop() $GIT/Descent3/descent.cpp:555
f9 Descent3() $GIT/Descent3/descent.cpp:508
f10 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x00000475a97f is located 30 bytes after global variable 'FVI_always_check_ceiling' defined in '$GIT/physics/findintersection.cpp:888:6' (0x475a960) of size 1
'FVI_always_check_ceiling' is ascii string ''
0x00000475a97f is located 33 bytes before global variable 'fvi_visit_list' defined in '$GIT/physics/findintersection.cpp:895:5' (0x475a9a0) of size 51
$GIT/Descent3/render.cpp:249:30: runtime error: index -1 out of bounds for type 'bms_bitmap [5000]'
==1231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000043aa93a at pc 0x000000d2b4ec bp 0x7ffd141b7590 sp 0x7ffd141b7588
READ of size 1 at 0x0000043aa93a thread T0
f0 GetFaceAlpha $GIT/Descent3/render.cpp:249
f1 RenderRoomUnsorted(room*) $GIT/Descent3/render.cpp:2311
f2 RenderRoom(room*) $GIT/Descent3/render.cpp:2963
f3 RenderMine(int, int, int) $GIT/Descent3/render.cpp:3472
f4 GameRenderWorld(object*, vector*, int, matrix*, float, bool) $GIT/Descent3/GameLoop.cpp:2465
f5 GameDrawMainView() $GIT/Descent3/GameLoop.cpp:2503
f6 GameRenderFrame() $GIT/Descent3/GameLoop.cpp:2600
f7 GameFrame() $GIT/Descent3/GameLoop.cpp:3055
f8 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f9 PlayGame() $GIT/Descent3/game.cpp:834
f10 MainLoop() $GIT/Descent3/descent.cpp:555
f11 Descent3() $GIT/Descent3/descent.cpp:508
f12 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x0000043aa93a is located 22 bytes after global variable 'Num_of_bitmaps' defined in '$GIT/bitmap/bitmain.cpp:322:5' (0x43aa920) of size 4
0x0000043aa93a is located 38 bytes before global variable 'GameBitmaps' defined in '$GIT/bitmap/bitmain.cpp:323:12' (0x43aa960) of size 280000
GetFaceAlpha intentionally is called with -1.
(gdb) bt
f4 GetFaceAlpha (fp=0x7fffda30c862, bm_handle=-1) at $GIT/Descent3/render.cpp:244
f5 RenderRoomUnsorted (rp=0x4058330 <Rooms+25200>) at $GIT/Descent3/render.cpp:2313
2313 if (Render_mirror_for_room == false && (fogged_portal || (GetFaceAlpha(fp, -1) & (ATF_CONSTANT + ATF_VERTEX)))) {
f6 RenderRoom (rp=0x4058330 <Rooms+25200>) at $GIT/Descent3/render.cpp:2965
f7 RenderMine (viewer_roomnum=33, flag_automap=1, called_from_terrain=0) at $GIT/Descent3/render.cpp:3474
f8 GameRenderWorld (viewer=0x3d23750 <Objects+230000>, viewer_eye=0x3d23770 <Objects+230032>, viewer_roomnum=33, viewer_orient=0x3d2377c <Objects+230044>, zoom=0.726000011, rear_view=false) at $GIT/Descent3/GameLoop.cpp:2465
f9 GameDrawMainView () at $GIT/Descent3/GameLoop.cpp:2503
f10 GameRenderFrame () at $GIT/Descent3/GameLoop.cpp:2600
f11 GameFrame () at $GIT/Descent3/GameLoop.cpp:3055
f12 GameSequencer () at $GIT/Descent3/gamesequence.cpp:1221
f13 PlayGame () at $GIT/Descent3/game.cpp:834
f14 MainLoop () at $GIT/Descent3/descent.cpp:555
f15 Descent3 () at $GIT/Descent3/descent.cpp:508
f16 oeD3LnxApp::run (this=0x7ffff460db50) at $GIT/Descent3/sdlmain.cpp:151
y2=256 is a legitimate argument to the RecurseLODDeltas function, and
the array is too short to accomodate it.
$GIT/Descent3/terrain.cpp:166:57: runtime error: index 65540 out of bounds for type 'terrain_segment [65536]'
$GIT/Descent3/terrain.cpp:166:59: runtime error: load of address 0x00000424b9f0 with insufficient space for an object of type 'float'
y2=256 midx=4
==39949==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000424b8f4 at pc 0x000000e62047 bp 0x7ffcd5ea2390 sp 0x7ffcd5ea2388
READ of size 4 at 0x00000424b8f4 thread T0
f0 RecurseLODDeltas(int, int, int, int, int) $GIT/Descent3/terrain.cpp:165
f1 RecurseLODDeltas(int, int, int, int, int) $GIT/Descent3/terrain.cpp:176
f2 RecurseLODDeltas(int, int, int, int, int) $GIT/Descent3/terrain.cpp:176
f3 GenerateLODDeltas() $GIT/Descent3/terrain.cpp:288
f4 BuildMinMaxTerrain() $GIT/Descent3/terrain.cpp:336
f5 ReadTerrainChunks(CFILE*, int) $GIT/Descent3/LoadLevel.cpp:3468
f6 LoadLevel(char*, void (*)(char const*, int, int)) $GIT/Descent3/LoadLevel.cpp:3937
f7 LoadMissionLevel(int) $GIT/Descent3/Mission.cpp:1278
f8 LoadAndStartCurrentLevel() $GIT/Descent3/gamesequence.cpp:1669
f9 GameSequencer() $GIT/Descent3/gamesequence.cpp:1197
f10 PlayGame() $GIT/Descent3/game.cpp:834
f11 MainLoop() $GIT/Descent3/descent.cpp:555
f12 Descent3() $GIT/Descent3/descent.cpp:508
f13 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x00000424b8f4 is located 20 bytes after global variable 'Terrain_seg' defined in '$GIT/Descent3/terrain.cpp:51:17' (0x410b8e0) of size 1310720
0x00000424b8f4 is located 12 bytes before global variable 'Terrain_tex_seg' defined in '$GIT/Descent3/terrain.cpp:52:21' (0x424b900) of size 4096
