05241: All moo.c sets: AddressSanitizer: heap-use-after-free

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05241	Misc.	Critical (emulator)	Always	Jul 29, 2013, 11:39	Sep 12, 2013, 15:22

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	Firewave	Resolution	Fixed	OS	Linux
Status [?]	Resolved			Driver	konami/moo.cpp
Version	0.149u1	Fixed in Version	0.150	Build	Debug
		Fixed in Git Commit		Github Pull Request #

Summary	05241: All moo.c sets: AddressSanitizer: heap-use-after-free
Description	================================================================= ==52557==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900014f944 at pc 0x17ff88df bp 0x7fffb27da4d0 sp 0x7fffb27da4c8 READ of size 4 at 0x62900014f944 thread T0 #0 0x17ff88de in _ZN9tilemap_t26scanline_draw_masked_rgb32EPjPKtPKhiiiPKjPhj /home/notroot/trunk/src/emu/tilemap.c:283 #1 0x17feb4ac in _ZN9tilemap_t13draw_instanceI12bitmap_rgb32EEvRT_RKNS_15blit_parametersEii /home/notroot/trunk/src/emu/tilemap.c:1251 #2 0x17fdfec4 in _ZN9tilemap_t11draw_commonI12bitmap_rgb32EEvR13screen_deviceRT_RK9rectanglejhh /home/notroot/trunk/src/emu/tilemap.c:978 #3 0x17fc178d in _ZN9tilemap_t4drawER13screen_deviceR12bitmap_rgb32RK9rectanglejhh /home/notroot/trunk/src/emu/tilemap.c:1062 #4 0x7933362 in _ZN14k056832_device19tilemap_draw_commonI12bitmap_rgb32EEvR13screen_deviceRT_RK9rectangleijj /home/notroot/trunk/src/mame/video/k054156_k054157_k056832.c:1671 #5 0x79073c7 in _ZN14k056832_device12tilemap_drawER13screen_deviceR12bitmap_rgb32RK9rectangleijj /home/notroot/trunk/src/mame/video/k054156_k054157_k056832.c:1684 #6 0x70ce2f3 in _ZN9moo_state17screen_update_mooER13screen_deviceR12bitmap_rgb32RK9rectangle /home/notroot/trunk/src/mame/video/moo.c:129 #7 0x17f1c83a in _ZNK13delegate_baseIjR13screen_deviceR12bitmap_rgb32RK9rectangle8_noparamS7_EclES1_S3_S6_ /home/notroot/trunk/src/emu/delegate.h:542 #8 0x17f11525 in _ZN13screen_device14update_partialEi /home/notroot/trunk/src/emu/screen.c:603 #9 0x18173a3e in _ZN13video_manager21finish_screen_updatesEv /home/notroot/trunk/src/emu/video.c:658 #10 0x18172896 in _ZN13video_manager12frame_updateEb /home/notroot/trunk/src/emu/video.c:229 #11 0x17f0fe9a in _ZN13screen_device10vblank_endEv /home/notroot/trunk/src/emu/screen.c:835 #12 0x17f0dfa8 in _ZN13screen_device12device_timerER9emu_timerjiPv /home/notroot/trunk/src/emu/screen.c:403 #13 0x17efd58a in _ZN8device_t13timer_expiredER9emu_timerjiPv /home/notroot/trunk/src/emu/device.h:228 #14 0x17eee17b in _ZN16device_scheduler14execute_timersEv /home/notroot/trunk/src/emu/schedule.c:931 #15 0x17ee1769 in _ZN16device_scheduler9timesliceEv /home/notroot/trunk/src/emu/schedule.c:454 #16 0x17a8888b in _ZN15running_machine3runEb /home/notroot/trunk/src/emu/machine.c:412 #17 0x17a74411 in _Z12mame_executeR11emu_optionsR13osd_interface /home/notroot/trunk/src/emu/mame.c:190 #18 0x173eb8a6 in _ZN12cli_frontend7executeEiPPc /home/notroot/trunk/src/emu/clifront.c:255 #19 0x10708f01 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:378 #20 0x7ff617396ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 #21 0x1e7a7bc in _start ??:? 0x62900014f944 is located 1860 bytes inside of 16704-byte region [0x62900014f200,0x629000153340) freed by thread T0 here: #0 0x1e6c644 in free ??:? #1 0x18df803c in _ZL13free__7z_fileP8_7z_file /home/notroot/trunk/src/lib/util/un7z.c:513 #2 0x18df79c6 in _Z13_7z_file_openPKcPP8_7z_file /home/notroot/trunk/src/lib/util/un7z.c:398 #3 0x177660a2 in _ZN8emu_file14attempt__7zpedEv /home/notroot/trunk/src/emu/fileio.c:854 #4 0x1776298b in _ZN8emu_file9open_nextEv /home/notroot/trunk/src/emu/fileio.c:393 #5 0x177624ac in _ZN8emu_file4openEPKc /home/notroot/trunk/src/emu/fileio.c:310 #6 0x17db3b65 in _ZN13render_target16load_layout_fileEPKcS1_ /home/notroot/trunk/src/emu/render.c:1645 #7 0x17d95c4b in _ZN13render_target17load_layout_filesEPKcb /home/notroot/trunk/src/emu/render.c:1564 #8 0x17d94ab0 in render_target /home/notroot/trunk/src/emu/render.c:1023 #9 0x17dc3f30 in _ZN14render_manager12target_allocEPKcj /home/notroot/trunk/src/emu/render.c:2518 #10 0x10907463 in _Z29sdlwindow_video_window_createR15running_machineiP16sdl_monitor_infoPK17sdl_window_config /home/notroot/trunk/src/osd/sdl/window.c:712 #11 0x1073f9b1 in _Z13sdlvideo_initR15running_machine /home/notroot/trunk/src/osd/sdl/video.c:131 #12 0x1070ae2b in _ZN17sdl_osd_interface4initER15running_machine /home/notroot/trunk/src/osd/sdl/sdlmain.c:681 #13 0x17a7eaad in _ZN15running_machine5startEv /home/notroot/trunk/src/emu/machine.c:267 #14 0x17a88439 in _ZN15running_machine3runEb /home/notroot/trunk/src/emu/machine.c:391 #15 0x17a74411 in _Z12mame_executeR11emu_optionsR13osd_interface /home/notroot/trunk/src/emu/mame.c:190 #16 0x173eb8a6 in _ZN12cli_frontend7executeEiPPc /home/notroot/trunk/src/emu/clifront.c:255 #17 0x10708f01 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:378 #18 0x7ff617396ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 previously allocated by thread T0 here: #0 0x1e6c724 in __interceptor_malloc ??:? #1 0x18df6c48 in _Z13_7z_file_openPKcPP8_7z_file /home/notroot/trunk/src/lib/util/un7z.c:337 #2 0x177660a2 in _ZN8emu_file14attempt__7zpedEv /home/notroot/trunk/src/emu/fileio.c:854 #3 0x1776298b in _ZN8emu_file9open_nextEv /home/notroot/trunk/src/emu/fileio.c:393 #4 0x177624ac in _ZN8emu_file4openEPKc /home/notroot/trunk/src/emu/fileio.c:310 #5 0x17db3b65 in _ZN13render_target16load_layout_fileEPKcS1_ /home/notroot/trunk/src/emu/render.c:1645 #6 0x17d95c4b in _ZN13render_target17load_layout_filesEPKcb /home/notroot/trunk/src/emu/render.c:1564 #7 0x17d94ab0 in render_target /home/notroot/trunk/src/emu/render.c:1023 #8 0x17dc3f30 in _ZN14render_manager12target_allocEPKcj /home/notroot/trunk/src/emu/render.c:2518 #9 0x10907463 in _Z29sdlwindow_video_window_createR15running_machineiP16sdl_monitor_infoPK17sdl_window_config /home/notroot/trunk/src/osd/sdl/window.c:712 #10 0x1073f9b1 in _Z13sdlvideo_initR15running_machine /home/notroot/trunk/src/osd/sdl/video.c:131 #11 0x1070ae2b in _ZN17sdl_osd_interface4initER15running_machine /home/notroot/trunk/src/osd/sdl/sdlmain.c:681 #12 0x17a7eaad in _ZN15running_machine5startEv /home/notroot/trunk/src/emu/machine.c:267 #13 0x17a88439 in _ZN15running_machine3runEb /home/notroot/trunk/src/emu/machine.c:391 #14 0x17a74411 in _Z12mame_executeR11emu_optionsR13osd_interface /home/notroot/trunk/src/emu/mame.c:190 #15 0x173eb8a6 in _ZN12cli_frontend7executeEiPPc /home/notroot/trunk/src/emu/clifront.c:255 #16 0x10708f01 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:378 #17 0x7ff617396ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 Shadow bytes around the buggy address: 0x0c5280021ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5280021f20: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd 0x0c5280021f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5280021f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==52557==ABORTING
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	All moo.c sets

Attached Files

No.09792 Firewave Senior Tester Sep 12, 2013, 15:22	Fixed in r25320.