(Happened during Retribution level 8 in the ship hangar with the docking clamps.)
Descent3/AIGoal.cpp:938:28: runtime error: index -1 out of bounds for type 'goal [10]'
Occurs in Retribution level 7 whenever a FS440 "Six Gun" robot
is destroyed.
smfaces[facenum=0].texnum=-1
Descent3/splinter.cpp:73:74: runtime error: index -1 out of bounds for type "short int [35]"
Adding to ``total`` can cause signed integer overflow, which is
undefined, and ASAN warns:
Descent3/terrain.cpp:300:11: runtime error: signed integer overflow:
2147421608 + 65586 cannot be represented in type 'int'
Switch the variable unsigned; the bit patterns in practice will be
the same, but unsigned wraparound is well-defined. Finally, convert
the result back to signed, which should be allowed, cf.
http://eel.is/c++draft/conv.integral#3 .
Descent3/WeaponFire.cpp:2130:7: runtime error: signed integer overflow:
520857 * 5000 cannot be represented in type "int"
This is about how the Omega's gun ray is animated, and given there is
some sine wave stuff going on, it is fair to say that the intent was
for the value to wraparound. However, wraparound in C++ is only
well-defined for unsigned types, so switch it.
ASAN says:
linux/lnxcontroller.cpp:484:12: runtime error: left shift of negative value -1
(in other words, "-1 << x", not "x << (-1)")
Bitwise AND/OR often only make sense for unsigned quantities, so
enforce exactly that kind of treatment.
Gazing at my own code/modification, I find it is embarrasingly wrong.
Since ``sp`` is re-initialized at every loop iteration, setting it to
(the locally-constant) ``Scorch_start`` is incorrect. Make ``sp``
really mirror ``i`` at all times; this way, it also will not be
necessary anymore to update ``sp`` within the loop.
Fixes: 20ed30eef8
It is possible to cause the death of the CollectorNomad2 object (rush
to it before it possibly leaves again into the sidepackets the ship
won't fit through). The transition happens here:
```
f0 KillObject (objp=0x3d4d3e0 <Objects+384000>, killer=0x3cef7e0 <Objects>, damage=3) at /home/jengelh/D3/Descent3/damage.cpp:1036
f1 ApplyDamageToGeneric (hit_obj=0x3d4d3e0 <Objects+384000>, killer=0x3cef7e0 <Objects>, damage_type=6, damage=3, server_says=0, weapon_id=255) at /home/jengelh/D3/Descent3/damage.cpp:1401
f2 collide_generic_and_player (robotobj=0x3d4d3e0 <Objects+384000>, playerobj=0x3cef7e0 <Objects>, collision_point=0x7f877f40a830, collision_normal=0x7f877f40a858, f_reverse_normal=true, hit_info=0x7f877f40a810) at /home/jengelh/D3/physics/collide.cpp:2127
f3 collide_two_objects (A=0x3cef7e0 <Objects>, B=0x3d4d3e0 <Objects+384000>, collision_point=0x7f877f40a830, collision_normal=0x7f877f40a858, hit_info=0x7f877f40a810) at /home/jengelh/D3/physics/collide.cpp:2505
f4 do_physics_sim (obj=0x3cef7e0 <Objects>) at /home/jengelh/D3/physics/physics.cpp:1515
f5 ObjDoFrame (obj=0x3cef7e0 <Objects>) at /home/jengelh/D3/Descent3/object.cpp:2824
f6 ObjDoFrameAll () at /home/jengelh/D3/Descent3/object.cpp:2988
f7 GameFrame () at /home/jengelh/D3/Descent3/GameLoop.cpp:2980
f8 GameSequencer () at /home/jengelh/D3/Descent3/gamesequence.cpp:1221
f9 PlayGame () at /home/jengelh/D3/Descent3/game.cpp:834
f10 MainLoop () at /home/jengelh/D3/Descent3/descent.cpp:550
f11 Descent3 () at /home/jengelh/D3/Descent3/descent.cpp:508
f12 oeD3LnxApp::run (this=0x7f877f00db50) at /home/jengelh/D3/Descent3/sdlmain.cpp:151
<frame 2> (gdb) p robotobj
$1 = {
type = 2 '\002' (OBJ_ROBOT), dummy_type = 255 '\377', id = 276,
flags = 2135072, name = 0x5020000aff30 "CollectorNomad2",
handle = 2432, next = 178, prev = -1,
control_type = 1 '\001' (CT_AI), movement_type = 2 '\002' (MC_ROLLING),
render_type = 1 '\001' (LRT_GOURAUD), lighting_render_type = 1 '\001', roomnum = 58,
pos = {x = 2350.21484, y = -263.523956, z = 1868.59888},
orient = {
rvec = {x = 0.882905424, y = 1.63964216e-14, z = -0.469550878},
uvec = {x = -1.25793295e-14, y = 1, z = 1.12662192e-14},
fvec = {x = 0.469550878, y = -4.04037088e-15, z = 0.882905424}
},...}
```
Thus, KillObject sets obj->control_type=CT_DYING. In the same game
tick, Level6.cpp then calls aAIGoalFollowPathSimple which triggers
the assertion.
```
Int3 in $GIT/Descent3/osiris_predefs.cpp at line 571.(Descent 3 Debug Break)
f0 osipf_AIGoalFollowPathSimple (objhandle=2432, path_id=21, guid=7, flags=1052928, slot=3) at $GIT/Descent3/osiris_predefs.cpp:571
f1 AI_GoalFollowPathSimple (objhandle=2432, path_id=21, guid=7, flags=1052928, slot=3) at $GIT/scripts/osiris_import.h:170
f2 aAIGoalFollowPathSimple (objhandle=2432, pathid=21, flags=1052928, goalid=7, priority=3) at $GIT/scripts/DallasFuncs.cpp:3649
f3 LevelScript_0000::CallEvent (this=0x5020000ba430, event=256, data=0x7f963e71d930) at $GIT/scripts/Level6.cpp:2465
f4 CallInstanceEvent (id=0, ptr=0x5020000ba430, event=256, data=0x7f963e71d930) at $GIT/scripts/Level6.cpp:2209
f5 Osiris_CallLevelEvent (event=256, data=0x7f963e71d930) at $GIT/Descent3/OsirisLoadandBind.cpp:2000
f6 GameFrame () at $GIT/Descent3/GameLoop.cpp:3020
f7 GameSequencer () at $GIT/Descent3/gamesequence.cpp:1221
f8 PlayGame () at $GIT/Descent3/game.cpp:834
f9 MainLoop () at $GIT/Descent3/descent.cpp:550
f10 Descent3 () at $GIT/Descent3/descent.cpp:508
f11 oeD3LnxApp::run (this=0x7f963e80db50) at $GIT/Descent3/sdlmain.cpp:151
```
For lightning effect we using ps_rand() function which expects number in range [0, 0x7fff], but RAND_MAX is 0x7fffffff (INT_MAX, for 64-bit systems). In result lightnings strikes on every allowed frame and leads to epilepsy.
$GIT/Descent3/weapon.cpp:1327:47: runtime error: index 32784 out of bounds for type "otype_wb_info [21]"
Do not compute &static_wb[index] before index has been checked for
sentinel values.
When trying to use the Collector's Icon from level 6 anywhere where
it is not usable:
$GIT/Descent3/hudmessage.cpp:508:36: runtime error: index 18446744073709551615 out of bounds for type 'char [400]'
=================================================================
==59139==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003c2b4ff at pc 0x0000007786d6 bp 0x7fffbf4dde00 sp 0x7fffbf4dddf8
READ of size 1 at 0x000003c2b4ff thread T0
f0 in AddMultipleLinesToHUDMessages $GIT/Descent3/hudmessage.cpp:508
f1 in AddColoredHUDMessage(unsigned int, char const*, ...) $GIT/Descent3/hudmessage.cpp:536
f2 in msafe_CallFunction(unsigned char, msafe_struct*) $GIT/Descent3/multisafe.cpp:2034
f3 in aShowHUDMessageObj(char const*, int, ...) $GIT/scripts/DallasFuncs.cpp:1261
f4 in CustomObjectScript_206F::CallEvent(int, tOSIRISEventInfo*) $GIT/scripts/Level6.cpp:3052
f5 in CallInstanceEvent $GIT/scripts/Level6.cpp:2209
f6 in Osiris_CallEvent(object*, int, tOSIRISEventInfo*) $GIT/Descent3/OsirisLoadandBind.cpp:2203
f7 in Inventory::Use(int, int, object*) $GIT/Descent3/Inventory.cpp:822
f8 in Inventory::UsePos(object*) $GIT/Descent3/Inventory.cpp:875
f9 in UseInventoryItem() $GIT/Descent3/Inventory.cpp:1503
f10 DoKeyboardMisc $GIT/Descent3/Controls.cpp:1234
f11 DoMisc $GIT/Descent3/Controls.cpp:1114
f12 ReadPlayerControls(game_controls*) $GIT/Descent3/Controls.cpp:737
f13 DoFlyingControl(object*) $GIT/Descent3/object.cpp:2325
f14 ObjDoFrame(object*) $GIT/Descent3/object.cpp:2668
f15 ObjDoFrameAll() $GIT/Descent3/object.cpp:2988
f16 GameFrame() $GIT/Descent3/GameLoop.cpp:2980
f17 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f18 PlayGame() $GIT/Descent3/game.cpp:834
f19 MainLoop() $GIT/Descent3/descent.cpp:550
f20 Descent3() $GIT/Descent3/descent.cpp:508
f21 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x000003c2b4ff is located 62 bytes after global variable 'Hud_messages_paused' defined in '$GIT/Descent3/hudmessage.cpp:400:13' (0x3c2b4c0) of size 1
'Hud_messages_paused' is ascii string ''
When '\n' is placed, the '\0' is overwritten but no new \0 is placed,
causing strlen() in the next loop iteration to go beyond the
boundaries of m_buffer.
Happens at the start of level 5, or later in level 1, basically
whenever there are at least two lines in m_msg.
==74575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51d0003e8880 at pc 0x7f6a08c80c66 bp 0x7ffd4edb46e0 sp 0x7ffd4edb3ea0
READ of size 2353 at 0x51d0003e8880 thread T0
f0 __interceptor_strlen (/lib64/libasan.so.8+0x80c65) (BuildId: 5615a04b8d0a5a8eafa661f7235e2d98fa2b9137)
f1 MsgListConsole::Open(char const*, int, int, int, int) $GIT/Descent3/hudmessage.cpp:1644
f2 OpenGameMessageConsole() $GIT/Descent3/hudmessage.cpp:1532
f3 ToggleGameMessageConsole() $GIT/Descent3/hudmessage.cpp:1523
f4 ProcessNormalKey(int) $GIT/Descent3/GameLoop.cpp:1257
f5 ProcessKeys() $GIT/Descent3/GameLoop.cpp:2410
f6 GameFrame() $GIT/Descent3/GameLoop.cpp:2963
f7 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
f8 PlayGame() $GIT/Descent3/game.cpp:834
f9 MainLoop() $GIT/Descent3/descent.cpp:550
f10 Descent3() $GIT/Descent3/descent.cpp:508
f11 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
0x51d0003e8880 is located 0 bytes after 2048-byte region [0x51d0003e8080,0x51d0003e8880)
allocated by thread T0 here:
f0 malloc (/lib64/libasan.so.8+0xfc7d7) (BuildId: 5615a04b8d0a5a8eafa661f7235e2d98fa2b9137)
f1 MsgListConsole::Open(char const*, int, int, int, int) $GIT/Descent3/hudmessage.cpp:1629
Possibly fixes#530.
physics/findintersection.cpp:4711:64: runtime error: index -1 out of bounds for type 'fvi_face_room_list [200]'
=================================================================
SIGNAL 11 caught, aborting
$GIT/Descent3/multi_external.h:286:31: runtime error: store to misaligned address 0x7f3f760a3041 for type 'int16_t', which requires 2 byte alignment
$GIT/Descent3/multi_external.h:291:32: runtime error: store to misaligned address 0x7f3f760a3043 for type 'uint16_t', which requires 2 byte alignment
$GIT/Descent3/room.cpp:629:28: runtime error: member access within misaligned address 0x7fde8b011d6e for type 'struct roomUVL', which requires 4 byte alignment
$GIT/Descent3/LoadLevel.cpp:1978:24: runtime error: member access within misaligned address 0x7fde8b011d6e for type 'struct roomUVL', which requires 4 byte alignment
$GIT/Descent3/room.cpp:608:13: runtime error: member access within misaligned address 0x7fde8b0243d4 for type 'struct face', which requires 8 byte alignment
$GIT/vecmat/vector.cpp:180:18: runtime error: member access within misaligned address 0x7fde8b03dfda for type 'const struct vector', which requires 4 byte alignment
$GIT/Descent3/BOA.cpp:1213:27: runtime error: member access within misaligned address 0x7fde8b0243d4 for type 'struct face', which requires 8 byte alignment
RoomMemAlloc failed to aligned returned pointers to the type they are
being used for.
