Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05866 Misc. Critical (emulator) Always Mar 5, 2015, 17:45 Aug 29, 2016, 22:31
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Fixed OS
Status [?] Resolved Driver taito_f3.cpp
Version 0.159 Fixed in Version 0.170 Build Debug
Summary 05866: pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej: [debug] AddressSanitizer: heap-buffer-overflow
Description
==25732==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc576a8f87f at pc 0x00000470bda3 bp 0x7ffffdb78bc0 sp 0x7ffffdb78bb8
READ of size 1 at 0x7fc576a8f87f thread T0
    #0 0x470bda2 in taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int) /home/notroot/trunk/src/mame/video/taito_f3.c:1483:35
    #1 0x4705b62 in taito_f3_state::scanline_draw(bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:2521:3
    #2 0x4706ca2 in taito_f3_state::screen_update_f3(screen_device&, bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/taito_f3.c:3188:2
    #3 0x813ffb0 in delegate_base<unsigned int, screen_device&, bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_rgb32&, rectangle const&) const /home/notroot/trunk/src/lib/util/delegate.h:652:76
    #4 0x813ffb0 in screen_device::update_partial(int) /home/notroot/trunk/src/emu/screen.c:625
    #5 0x81d8f52 in video_manager::finish_screen_updates() /home/notroot/trunk/src/emu/video.c:649:3
    #6 0x81d853f in video_manager::frame_update(bool) /home/notroot/trunk/src/emu/video.c:202:27
    #7 0x813f362 in screen_device::vblank_begin() /home/notroot/trunk/src/emu/screen.c:822:3
    #8 0x813f029 in screen_device::device_timer(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/screen.c:404:4
    #9 0x8136b63 in device_t::timer_expired(emu_timer&, unsigned int, int, void*) /home/notroot/trunk/src/emu/device.h:191:83
    #10 0x8136b63 in device_scheduler::execute_timers() /home/notroot/trunk/src/emu/schedule.c:902
    #11 0x813263b in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:517:2
    #12 0x804fe48 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5
    #13 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #14 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #15 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9
    #16 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #17 0x116cdfc in _start (/home/notroot/trunk/mame64d+0x116cdfc)

0x7fc576a8f87f is located 0 bytes to the right of 262271-byte region [0x7fc576a4f800,0x7fc576a8f87f)
allocated by thread T0 here:
    #0 0x114f78b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x8b42538 in osd_malloc_array(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:89:9
    #2 0x8419fca in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:25
    #3 0x83e3242 in operator new[](unsigned long) /home/notroot/trunk/src/lib/util/corealloc.h:64:97
    #4 0x83e3242 in bitmap_t::allocate(int, int, int, int) /home/notroot/trunk/src/lib/util/bitmap.c:149
    #5 0x81603ae in tilemap_t::init(tilemap_manager&, device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, device_delegate<unsigned int (unsigned int, unsigned int, unsigned int, unsigned int)>, int, int, int, int) /home/notroot/trunk/src/emu/tilemap.c:392:2
    #6 0x8165e98 in tilemap_manager::create(device_gfx_interface&, device_delegate<void (tilemap_t&, tile_data&, unsigned int)>, tilemap_standard_mapper, int, int, int, int, tilemap_t*) /home/notroot/trunk/src/emu/tilemap.c:1547:31
    #7 0x46f37a2 in taito_f3_state::video_start_f3() /home/notroot/trunk/src/mame/video/taito_f3.c:627:18
    #8 0x7f23cf5 in delegate_base<void, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()() const /home/notroot/trunk/src/lib/util/delegate.h:649:42
    #9 0x7f23cf5 in driver_device::device_start() /home/notroot/trunk/src/emu/driver.c:229
    #10 0x7e970fc in device_t::start() /home/notroot/trunk/src/emu/device.c:409:2
    #11 0x804f33a in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1105:6
    #12 0x804ca64 in running_machine::start() /home/notroot/trunk/src/emu/machine.c:287:2
    #13 0x804fb73 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:351:3
    #14 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11
    #15 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #16 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9
    #17 0x7fc59b076ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/mame/video/taito_f3.c:1483 taito_f3_state::draw_scanlines(bitmap_rgb32&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)
Shadow bytes around the buggy address:
  0x0ff92ed49eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff92ed49ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff92ed49f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x0ff92ed49f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff92ed49f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
Steps To Reproduce
Additional Information
Flags Debug build specific
Regression Version
Affected Sets / Systems pbobble3, pbobble3j, pbobble3u, pbobble4, pbobble4j, pbobble4u, rayforce, rayforcej
Attached Files
 
Relationships
There are no relationsihp linked to this issue.
Notes
1
User avatar
No.11506
B2K24
Moderator
Mar 11, 2015, 17:49
-----------------------------------------------------
Exception at EIP=000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb32&,
 int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0x1d
72): ACCESS VIOLATION
While attempting to read memory at 0000000057CE2000
-----------------------------------------------------
RAX=0000000057CE2000 RBX=0000000000000000 RCX=000000004495D528 RDX=0000000000000
100
RSI=0000000000000001 RDI=0000000000325BF0 RBP=0000000000227D20 RSP=0000000000227
C70
 R8=000000000000002E  R9=0000000000227EA0 R10=00000000000000FF R11=0000000000000
1F8
R12=0000000000000018 R13=0000000000000012 R14=0000000000000000 R15=0000000000000
000
-----------------------------------------------------
Stack crawl:
  0000000000227C70: 000000000396F5E2 (taito_f3_state::draw_scanlines(bitmap_rgb3
2&, int, short*, f3_playfield_line_inf const**, int const*, unsigned int, int)+0
x1d72)
  0000000000228200: 0000000001A06E32 (taito_f3_state::scanline_draw(bitmap_rgb32
&, rectangle const&)+0x1a20)
  0000000000228290: 0000000001A08100 (taito_f3_state::screen_update_f3(screen_de
vice&, bitmap_rgb32&, rectangle const&)+0x0450)
  00000000002282C0: 0000000003DC6615 (delegate_base<unsigned int, screen_device&
, bitmap_rgb32&, rectangle const&, _noparam, _noparam, _noparam, _noparam, _nopa
ram, _noparam, _noparam, _noparam, _noparam>::operator()(screen_device&, bitmap_
rgb32&, rectangle const&) const+0x0035)
  0000000000228330: 0000000002D2C7F4 (screen_device::update_partial(int)+0x0206)

  00000000002283A0: 0000000002E5E445 (video_manager::finish_screen_updates()+0x0
05f)
  0000000000228410: 0000000002E5CFAD (video_manager::frame_update(bool)+0x008d)
  00000000002284A0: 0000000002D2D160 (screen_device::vblank_begin()+0x00fa)
  00000000002284F0: 0000000002D2BB57 (screen_device::device_timer(emu_timer&, un
signed int, int, void*)+0x003d)
  0000000000228530: 0000000003D770E1 (device_t::timer_expired(emu_timer&, unsign
ed int, int, void*)+0x0041)
  0000000000228580: 0000000003AFA8AC (device_scheduler::execute_timers()+0x00fc)

  0000000000228640: 0000000002D2971E (device_scheduler::timeslice()+0x05ac)
  0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0)
  000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8)
  000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char**)+0x085f)

  000000000022FDF0: 000000000209B0D9 (utf8_main(int, char**)+0x020d)
  000000000022FE50: 0000000003131169 (wmain+0x00b9)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021)