Skip to content

Commit

Permalink
4° fix compatibility for GCC8+
Browse files Browse the repository at this point in the history
  • Loading branch information
White Dragon committed Jun 3, 2018
1 parent dd3ee83 commit 47f1e96
Show file tree
Hide file tree
Showing 7 changed files with 64 additions and 168 deletions.
62 changes: 31 additions & 31 deletions engine/openbor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3250,7 +3250,7 @@ void saveasdefault()
FILE *handle = NULL;
char path[128] = {""};
getBasePath(path, "Saves", 0);
strncat(path, "default.cfg", 128);
strcat(path, "default.cfg");
handle = fopen(path, "wb");
if(handle == NULL)
{
Expand Down Expand Up @@ -3299,7 +3299,7 @@ void loadfromdefault()
FILE *handle = NULL;
char path[128] = {""};
getBasePath(path, "Saves", 0);
strncat(path, "default.cfg", 128);
strcat(path, "default.cfg");
clearsettings();
handle = fopen(path, "rb");
if(handle == NULL)
Expand Down Expand Up @@ -8648,7 +8648,7 @@ size_t lcmScriptAddMain(char **buf)
len2 = strlen(mtxt);
newbuf = malloc(sizeof(**buf)*len + sizeof(mtxt)*len2 + 1 );
strncpy(newbuf, *buf, pos);
strncpy(newbuf+pos, mtxt, len2);
memcpy(newbuf+pos, mtxt, len2);
newbuf[len+len2] = '\0';

free( (*buf) );
Expand All @@ -8666,7 +8666,7 @@ size_t lcmScriptAddMain(char **buf)

newbuf = malloc(sizeof(**buf)*pos + sizeof(mtxt)*len2 + sizeof(**buf)*(len-pos2) + 1 );
strncpy(newbuf, *buf, pos);
strncpy(newbuf+pos, mtxt, len2);
memcpy(newbuf+pos, mtxt, len2);
strncpy(newbuf+pos+len2, *buf+pos2, len-pos2);
newbuf[pos+len2+len-pos2] = '\0';

Expand Down Expand Up @@ -8709,7 +8709,7 @@ size_t lcmScriptJoinMain(char **buf, char *first_buf)

newbuf = malloc(sizeof(**buf)*len + sizeof(*first_buf)*len2 + 1 );
strncpy(newbuf, *buf, pos);
strncpy(newbuf+pos, first_buf, len2);
memcpy(newbuf+pos, first_buf, len2);
strncpy(newbuf+pos+len2, *buf+pos, len-pos);
newbuf[len+len2] = '\0';

Expand Down Expand Up @@ -12591,7 +12591,7 @@ int load_models()
if(custBkgrds != NULL)
{
strcpy(tmpBuff, custBkgrds);
strncat(tmpBuff, "loading", 7);
strcat(tmpBuff, "loading");
load_background(tmpBuff, 0);
}
else
Expand Down Expand Up @@ -13959,7 +13959,7 @@ void load_levelorder()
strncpy(rush_names[0], GET_ARG(3), MAX_NAME_LEN);
rush[2] = GET_INT_ARG(4);
rush[3] = GET_INT_ARG(5);
strncpy(rush_names[1], GET_ARG(6), MAX_NAME_LEN);
memcpy(rush_names[1], GET_ARG(6), MAX_NAME_LEN);
rush[4] = GET_INT_ARG(7);
rush[5] = GET_INT_ARG(8);
break;
Expand Down Expand Up @@ -14753,7 +14753,7 @@ void load_level(char *filename)
break;
case CMD_LEVEL_MUSIC:
value = GET_ARG(1);
strncpy(string, value, 128);
memcpy(string, value, 128);
musicOffset = atol(GET_ARG(2));
if(loadingmusic)
{
Expand Down Expand Up @@ -14812,7 +14812,7 @@ void load_level(char *filename)
}
break;
case CMD_LEVEL_ALPHAMASK:
strncpy(maskPath, GET_ARG(1), 128);
memcpy(maskPath, GET_ARG(1), 128);
break;
case CMD_LEVEL_BACKGROUND:
case CMD_LEVEL_BGLAYER:
Expand Down Expand Up @@ -31794,7 +31794,7 @@ void initialize_item_carry(entity *ent, s_spawn_entry *spawn_entry)

if(spawn_entry->item_properties.alias[0])
{
strncpy(ent->item_properties->alias, spawn_entry->item_properties.alias, MAX_NAME_LEN);
memcpy(ent->item_properties->alias, spawn_entry->item_properties.alias, MAX_NAME_LEN);
}

if(spawn_entry->item_properties.colorset)
Expand Down Expand Up @@ -31855,7 +31855,7 @@ entity *smartspawn(s_spawn_entry *props) // 7-1-2005 Entire section replace
// Alias?
if(props->alias[0])
{
strncpy(e->name, props->alias, MAX_NAME_LEN);
memcpy(e->name, props->alias, MAX_NAME_LEN);
}

// If we have item properties in spawn entry, then prepare a set of
Expand Down Expand Up @@ -34647,7 +34647,7 @@ void gameover()
if(custScenes != NULL)
{
strcpy(tmpBuff, custScenes);
strncat(tmpBuff, "gameover.txt", 12);
strcat(tmpBuff, "gameover.txt");
if(testpackfile(tmpBuff, packfile) >= 0)
{
playscene(tmpBuff);
Expand Down Expand Up @@ -34696,7 +34696,7 @@ void hallfame(int addtoscore)
if(custBkgrds != NULL)
{
strcpy(tmpBuff, custBkgrds);
strncat(tmpBuff, "hiscore", 7);
strcat(tmpBuff, "hiscore");
load_background(tmpBuff, 0);
}
else
Expand Down Expand Up @@ -34780,7 +34780,7 @@ void showcomplete(int num)
if(custBkgrds != NULL)
{
strcpy(tmpBuff, custBkgrds);
strncat(tmpBuff, "complete", 8);
strcat(tmpBuff, "complete");
load_background(tmpBuff, 0);
}
else
Expand Down Expand Up @@ -35321,7 +35321,7 @@ int selectplayer(int *players, char *filename, int useSavedGame)
if(custBkgrds != NULL)
{
strcpy(string, custBkgrds);
strncat(string, "unlockbg", 8);
strcat(string, "unlockbg");
load_background(string, 1);
}
else
Expand All @@ -35334,8 +35334,8 @@ int selectplayer(int *players, char *filename, int useSavedGame)
// New alternative background path for PSP
if(custBkgrds != NULL)
{
strncpy(string, custBkgrds, 128);
strncat(string, "select", 6);
strcpy(string, custBkgrds);
strcat(string, "select");
load_background(string, 1);
}
else
Expand Down Expand Up @@ -35799,7 +35799,7 @@ int menu_difficulty()
else if(bonus >= levelsets[selector].ifcomplete)
{
saveslot = selector;
strncpy(savelevel[saveslot].dName, levelsets[saveslot].name, MAX_NAME_LEN + 1);
memcpy(savelevel[saveslot].dName, levelsets[saveslot].name, MAX_NAME_LEN + 1);
newgameMenu = 0;
return saveslot;
}
Expand Down Expand Up @@ -35850,7 +35850,7 @@ int menu_difficulty()
else if(bonus >= levelsets[selector].ifcomplete)
{
saveslot = selector;
strncpy(savelevel[saveslot].dName, levelsets[saveslot].name, MAX_NAME_LEN + 1);
memcpy(savelevel[saveslot].dName, levelsets[saveslot].name, MAX_NAME_LEN + 1);
newgameMenu = 0;
return saveslot;
}
Expand Down Expand Up @@ -38118,7 +38118,7 @@ void openborMain(int argc, char **argv)
if(custBkgrds != NULL)
{
strcpy(tmpBuff, custBkgrds);
strncat(tmpBuff, "logo", 4);
strcat(tmpBuff, "logo");
load_background(tmpBuff, 0);
}
else
Expand All @@ -38136,8 +38136,8 @@ void openborMain(int argc, char **argv)
// New alternative scene path for PSP
if(custScenes != NULL)
{
strncpy(tmpBuff, custScenes, 128);
strncat(tmpBuff, "logo.txt", 8);
strcpy(tmpBuff, custScenes);
strcat(tmpBuff, "logo.txt");
playscene(tmpBuff);
}
else
Expand All @@ -38156,8 +38156,8 @@ void openborMain(int argc, char **argv)
// New alternative scene path for PSP
if(custScenes != NULL)
{
strncpy(tmpBuff, custScenes, 128);
strncat(tmpBuff, "intro.txt", 9);
strcpy(tmpBuff, custScenes);
strcat(tmpBuff, "intro.txt");
playscene(tmpBuff);
}
else
Expand Down Expand Up @@ -38262,12 +38262,12 @@ void openborMain(int argc, char **argv)
{
int previousLoop = musicloop;
char previousMusic[sizeof(currentmusic)];
strncpy(previousMusic, currentmusic, sizeof(previousMusic) - 1);
memcpy(previousMusic, currentmusic, sizeof(previousMusic) - 1);

if(custScenes != NULL)
{
strncpy(tmpBuff, custScenes, 128);
strncat(tmpBuff, "howto.txt", 9);
strcpy(tmpBuff, custScenes);
strcat(tmpBuff, "howto.txt");
playscene(tmpBuff);
}
else
Expand Down Expand Up @@ -38300,8 +38300,8 @@ void openborMain(int argc, char **argv)
titleScreen = 0;
if(custBkgrds != NULL)
{
strncpy(tmpBuff, custBkgrds, 128);
strncat(tmpBuff, "titleb", 6);
strcpy(tmpBuff, custBkgrds);
strcat(tmpBuff, "titleb");
load_background(tmpBuff, 0);
}
else
Expand All @@ -38315,8 +38315,8 @@ void openborMain(int argc, char **argv)
titleScreen = 1;
if(custBkgrds != NULL)
{
strncpy(tmpBuff, custBkgrds, 128);
strncat(tmpBuff, "title", 5);
strcpy(tmpBuff, custBkgrds);
strcat(tmpBuff, "title");
load_background(tmpBuff, 0);
}
else
Expand Down
2 changes: 1 addition & 1 deletion engine/openborscript.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10126,7 +10126,7 @@ HRESULT openbor_fademusic(ScriptVariant **varlist , ScriptVariant **pretvar, int

if(paramCount == 4)
{
strncpy(musicname, StrCache_Get(varlist[1]->strVal), 128);
memcpy(musicname, StrCache_Get(varlist[1]->strVal), 128);
if(FAILED(ScriptVariant_IntegerValue(varlist[2], &values[0])))
{
goto fademusic_error;
Expand Down
16 changes: 8 additions & 8 deletions engine/sdl/menu.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ static int findPaks(void)
free(copy); copy = NULL;
}
memset(&filelist[i], 0, sizeof(fileliststruct));
strncpy(filelist[i].filename, ds->d_name, strlen(ds->d_name));
memcpy(filelist[i].filename, ds->d_name, strlen(ds->d_name));
i++;
}
}
Expand Down Expand Up @@ -511,7 +511,7 @@ static void drawMenu()
if(len < (isWide ? 44 : 28))
strncpy(listing, filelist[list+dListScrollPosition].filename, len);
else
strncpy(listing, filelist[list+dListScrollPosition].filename, (isWide ? 44 : 28));
memcpy(listing, filelist[list+dListScrollPosition].filename, (isWide ? 44 : 28));
if(list == dListCurrentPosition)
{
shift = 2;
Expand Down Expand Up @@ -577,9 +577,9 @@ static void drawBGMPlayer()
colors = GRAY;
strncpy(listing, "", (isWide ? 44 : 28));
if(len < (isWide ? 44 : 28))
strncpy(listing, filelist[list+dListScrollPosition].filename, len);
memcpy(listing, filelist[list+dListScrollPosition].filename, len);
else
strncpy(listing, filelist[list+dListScrollPosition].filename, (isWide ? 44 : 28));
memcpy(listing, filelist[list+dListScrollPosition].filename, (isWide ? 44 : 28));
if(list==dListCurrentPosition) { shift = 2; colors = RED; }
printText((isWide ? 30 : 7) + shift, (isWide ? 33 : 22)+(11*list) , colors, 0, 0, "%s", listing);
}
Expand Down Expand Up @@ -609,17 +609,17 @@ static void drawBGMPlayer()

if(!bgmPlay) bgmCurrent = dListCurrentPosition+dListScrollPosition;
if(filename_len < 24)
strncpy(bgmListing, filelist[bgmCurrent].filename, strlen(filelist[bgmCurrent].filename)-4);
memcpy(bgmListing, filelist[bgmCurrent].filename, strlen(filelist[bgmCurrent].filename)-4);
else
strncpy(bgmListing, filelist[bgmCurrent].filename, 24);
memcpy(bgmListing, filelist[bgmCurrent].filename, 24);
if(!sound_query_music(a1, t1))
{
PlayBGM();
sound_query_music(a1, t1);
StopBGM();
}
if(t1[0]) strncpy(t2, t1, 25);
if(a1[0]) strncpy(a2, a1, 25);
if(t1[0]) memcpy(t2, t1, 25);
if(a1[0]) memcpy(a2, a1, 25);
printText((isWide ? 288 : 157),(isWide ? 35 : 23) + (11 * 0), DARK_RED, 0, 0, "Game: %s", bgmListing);
printText((isWide ? 288 : 157),(isWide ? 35 : 23) + (11 * 1), bgmPlay ? DARK_GREEN : DARK_BLUE, 0, 0, "Total Tracks: %d", filelist[bgmCurrent].nTracks-1);
printText((isWide ? 288 : 157),(isWide ? 35 : 23) + (11 * 2), bgmPlay ? DARK_GREEN : DARK_BLUE, 0, 0, "Current Track: %d", filelist[bgmCurrent].bgmTrack);
Expand Down
2 changes: 1 addition & 1 deletion engine/source/gamelib/models.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ void makelowercp(char *name)
assert(name);
size_t len = strlen(name);
assert(len < 1024);
strncpy(convertbuf, name, 1024);
memcpy(convertbuf, name, 1024);

This comment has been minimized.

Sign in to view

Copy link
@jbeich

jbeich Jun 3, 2018
edited
Loading

Contributor

Another game launch crash due to length of the target buffer being larger than source buffer.

$ engine/OpenBOR.elf
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
=================================================================
==47248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200008ac97 at pc 0x000000431d59 bp 0x7ffffffed200 sp 0x7ffffffec9b0
READ of size 1024 at 0x60200008ac97 thread T0
    #0 0x431d58 in __asan_memcpy (openbor-46be35bf/engine/OpenBOR.elf+0x431d58)
    #1 0x9e6aa5 in makelowercp openbor-46be35bf/engine/source/gamelib/models.c:23:5
    #2 0x9e6e5f in findmodel openbor-46be35bf/engine/source/gamelib/models.c:70:5
    #3 0x518066 in load_cached_model openbor-46be35bf/engine/openbor.c:9097:21
    #4 0x5a54ee in load_models openbor-46be35bf/engine/openbor.c:12781:13
    #5 0x78766a in startup openbor-46be35bf/engine/openbor.c:34338:5
    #6 0x7bdbfa in openborMain openbor-46be35bf/engine/openbor.c:38112:5
    #7 0x865ac7 in main openbor-46be35bf/engine/sdl/sdlport.c:126:2
    #8 0x42b4f4 in _start /usr/src/lib/csu/amd64/crt1.c:74:7

0x60200008ac97 is located 0 bytes to the right of 7-byte region [0x60200008ac90,0x60200008ac97)
allocated by thread T0 here:
    #0 0x49f6c3 in malloc (openbor-46be35bf/engine/OpenBOR.elf+0x49f6c3)
    #1 0x4b6f8f in safeMalloc openbor-46be35bf/engine/source/safealloc.h:31:23
    #2 0x504053 in _peek_model_name openbor-46be35bf/engine/openbor.c:6612:43
    #3 0x504fc8 in cache_model openbor-46be35bf/engine/openbor.c:6668:5
    #4 0x5a0d6a in load_models openbor-46be35bf/engine/openbor.c:12642:17
    #5 0x78766a in startup openbor-46be35bf/engine/openbor.c:34338:5
    #6 0x7bdbfa in openborMain openbor-46be35bf/engine/openbor.c:38112:5
    #7 0x865ac7 in main openbor-46be35bf/engine/sdl/sdlport.c:126:2
    #8 0x42b4f4 in _start /usr/src/lib/csu/amd64/crt1.c:74:7
    #9 0x800e58fff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (openbor-46be35bf/engine/OpenBOR.elf+0x431d58) in __asan_memcpy
Shadow bytes around the buggy address:
  0x4c0400011540: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x4c0400011550: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 00 04
  0x4c0400011560: fa fa 00 04 fa fa fd fd fa fa fd fd fa fa fd fd
  0x4c0400011570: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fa
  0x4c0400011580: fa fa 05 fa fa fa fd fa fa fa 00 fa fa fa fd fa
=>0x4c0400011590: fa fa[07]fa fa fa fd fd fa fa 00 01 fa fa fd fd
  0x4c04000115a0: fa fa 00 01 fa fa fd fa fa fa 07 fa fa fa fd fa
  0x4c04000115b0: fa fa 05 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x4c04000115c0: fa fa 06 fa fa fa fd fa fa fa 05 fa fa fa fd fa
  0x4c04000115d0: fa fa 04 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x4c04000115e0: fa fa 07 fa fa fa fd fa fa fa 06 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==47248==ABORTING

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 3, 2018
edited
Loading

Author Contributor

ok, fixed all overflow issues here:
commit 6197

This comment has been minimized.

Sign in to view

Copy link
@jbeich

jbeich Jun 4, 2018

Contributor

Doesn't help.

$ engine/OpenBOR.elf
=================================================================
==43939==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fffffffdbfd at pc 0x000000492d04 bp 0x7fffffffdbb0 sp 0x7fffffffd350
WRITE of size 44 at 0x7fffffffdbfd thread T0
    #0 0x492d03 in __interceptor_strcpy (openbor-01fdfac8/engine/OpenBOR.elf+0x492d03)
    #1 0xa0f38c in safe_strncpy openbor-01fdfac8/engine/source/utils.c:543:5
    #2 0x86d0bc in drawMenu openbor-01fdfac8/engine/sdl/menu.c:514:5
    #3 0x86a93c in Menu openbor-01fdfac8/engine/sdl/menu.c:708:3
    #4 0x865a04 in main openbor-01fdfac8/engine/sdl/sdlport.c:121:2
    #5 0x42b5f4 in _start /usr/src/lib/csu/amd64/crt1.c:74:7

Address 0x7fffffffdbfd is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (openbor-01fdfac8/engine/OpenBOR.elf+0x492d03) in __interceptor_strcpy
Shadow bytes around the buggy address:
  0x4ffffffffb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4ffffffffb70: 00 00 00 00 00 00 00 00 ca ca ca ca 00 00 00[05]
  0x4ffffffffb80: cb cb cb cb 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffba0: f1 f1 f1 f1 00 00 00 00 00 05 f2 f2 f2 f2 00 f3
  0x4ffffffffbb0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==43939==ABORTING

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 4, 2018

Author Contributor

Try with new update...
However in this line we truncate filename length.
I can't test on linux and on windows is all ok.
Please, you are a contributor, so help us to fix this line.
Thanks
lc(convertbuf, len);
}

Expand Down
4 changes: 2 additions & 2 deletions engine/source/gamelib/packfile.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -622,7 +622,7 @@ void makefilenamecache(void)
{
return;
}
strncpy(target, (char *)pak_header + hpos + 12, PACKFILE_PATH_MAX);
memcpy(target, (char *)pak_header + hpos + 12, PACKFILE_PATH_MAX);
fnlc(target);
List_InsertAfter(filenamelist, (void *) hpos, target);
hpos += readlsb32(pak_header + hpos);
Expand Down Expand Up @@ -695,7 +695,7 @@ int openreadaheadpackfile(const char *filename, const char *packfilename, int re
makefilenamecache();
}

strncpy(target, filename, PACKFILE_PATH_MAX);
memcpy(target, filename, PACKFILE_PATH_MAX);

This comment has been minimized.

Sign in to view

Copy link
@jbeich

jbeich Jun 3, 2018

Contributor

Appears to trigger ASan (from Clang 6.0 on FreeBSD 12) on every game I've tried (Simpsons, Thundercats 1.1, Rocket Viper 2.41, etc).

$ engine/OpenBOR.elf
libpng warning: iCCP: known incorrect sRGB profile
=================================================================
==30639==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000bd7df5 at pc 0x000000431de9 bp 0x7fffffffd250 sp 0x7fffffffca00
READ of size 512 at 0x000000bd7df5 thread T0
    #0 0x431de8 in __asan_memcpy (openbor-46be35bf/engine/OpenBOR.elf+0x431de8)
    #1 0x9b9547 in openreadaheadpackfile openbor-46be35bf/engine/source/gamelib/packfile.c:698:5
    #2 0x9b7e62 in openPackfileCached openbor-46be35bf/engine/source/gamelib/packfile.c:740:12
    #3 0x9b857c in openpackfile openbor-46be35bf/engine/source/gamelib/packfile.c:413:12
    #4 0x4b6528 in buffer_pakfile openbor-46be35bf/engine/openbor.c:856:18
    #5 0x992d5f in ob_loadtrans openbor-46be35bf/engine/source/gamelib/translation.c:90:8
    #6 0x9928d2 in ob_inittrans openbor-46be35bf/engine/source/gamelib/translation.c:159:9
    #7 0x7870ee in startup openbor-46be35bf/engine/openbor.c:34264:5
    #8 0x7bdc8a in openborMain openbor-46be35bf/engine/openbor.c:38112:5
    #9 0x865c78 in main openbor-46be35bf/engine/sdl/sdlport.c:126:2
    #10 0x42b584 in _start /usr/src/lib/csu/amd64/crt1.c:74:7

0x000000bd7df5 is located 43 bytes to the left of global variable '<string literal>' defined in 'source/gamelib/translation.c:100:31' (0xbd7e20) of size 6
  '<string literal>' is ascii string 'msgid'
0x000000bd7df5 is located 0 bytes to the right of global variable '<string literal>' defined in 'source/gamelib/translation.c:90:23' (0xbd7de0) of size 21
  '<string literal>' is ascii string 'data/translation.txt'
SUMMARY: AddressSanitizer: global-buffer-overflow (openbor-46be35bf/engine/OpenBOR.elf+0x431de8) in __asan_memcpy
Shadow bytes around the buggy address:
  0x40000017af60: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 02 f9 f9
  0x40000017af70: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x40000017af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x40000017af90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x40000017afa0: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05
=>0x40000017afb0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00[05]f9
  0x40000017afc0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x40000017afd0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x40000017afe0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x40000017aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x40000017b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30639==ABORTING

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 3, 2018

Author Contributor

I can't support elf Linux file because I have not Linux.
Please try to increment size of target variable.

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 3, 2018

Author Contributor

Try to:
memset target var to 0x00 byte
Memcpy with size PACKFILE_PATH_MAX-1
Increment PACKFILE_PATH_MAX

This comment has been minimized.

Sign in to view

Copy link
@jbeich

jbeich Jun 3, 2018

Contributor

memcpy() reads out of bounds when iterating over characters in filename. A fix would be to replace PACKFILE_PATH_MAX with strlen(filename) but then why not use strncpy()?

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 3, 2018

Author Contributor

There is an incorrect use of these strncpy that gcc8 compiler show with a warning.
Maybe I need to write a wrapper for now..

This comment has been minimized.

Sign in to view

Copy link
@jbeich

jbeich Jun 3, 2018

Contributor

Maybe restore strncpy() while incrementing char target[] size by 1. -Wstringop-truncation wants an explicit room for terminating \0.

This comment has been minimized.

Sign in to view

Copy link
@whitedragon0000

whitedragon0000 Jun 3, 2018

Author Contributor

I write just a wrapper for these bad used strncpy() in this way for future just we need to change wrapper and not all wrong lines..
Just a wrapper with Memcpy and a null at end of destination buffer
fnlc(target);

n = List_GetNodeByName(filenamelist, target);
Expand Down
2 changes: 1 addition & 1 deletion engine/source/scriptlib/Lexer.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ HRESULT Token_InitFromPreprocessor(Token *ptoken, pp_token *ppToken)
{
ptoken->theTextPosition = ppToken->theTextPosition;
ptoken->charOffset = ppToken->charOffset;
strncpy(ptoken->theSource, ppToken->theSource, MAX_TOKEN_LENGTH);
memcpy(ptoken->theSource, ppToken->theSource, MAX_TOKEN_LENGTH);

switch (ppToken->theType)
{
Expand Down
Loading

0 comments on commit 47f1e96

Please sign in to comment.