05242: mystwarr, mtlchamp and clones: AddressSanitizer: heap-buffer-overflow

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05242	Misc.	Critical (emulator)	Always	Jul 29, 2013, 11:42	May 9, 2014, 21:04

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	AWJ	Resolution	Fixed	OS	Linux
Status [?]	Resolved			Driver	konami/mystwarr.cpp
Version	0.149u1	Fixed in Version	0.154	Build	Debug
		Fixed in Git Commit		Github Pull Request #

Summary	05242: mystwarr, mtlchamp and clones: AddressSanitizer: heap-buffer-overflow
Description	================================================================= ==52564==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000ca100 at pc 0x17ff5dcb bp 0x7fffba83ba70 sp 0x7fffba83ba68 READ of size 4 at 0x6250000ca100 thread T0 #0 0x17ff5dca in _ZN9tilemap_t26scanline_draw_opaque_rgb32EPjPKtiPKjPhj /home/notroot/trunk/src/emu/tilemap.c:263 #1 0x17fea512 in _ZN9tilemap_t13draw_instanceI12bitmap_rgb32EEvRT_RKNS_15blit_parametersEii /home/notroot/trunk/src/emu/tilemap.c:1230 #2 0x17fdfec4 in _ZN9tilemap_t11draw_commonI12bitmap_rgb32EEvR13screen_deviceRT_RK9rectanglejhh /home/notroot/trunk/src/emu/tilemap.c:978 #3 0x17fc178d in _ZN9tilemap_t4drawER13screen_deviceR12bitmap_rgb32RK9rectanglejhh /home/notroot/trunk/src/emu/tilemap.c:1062 #4 0x791d781 in _ZN14k056832_device14m_tilemap_drawER13screen_deviceR12bitmap_rgb32RK9rectangleijj /home/notroot/trunk/src/mame/video/k054156_k054157_k056832.c:2593 #5 0x6e7cc79 in _ZN14konamigx_state22gx_draw_basic_tilemapsER13screen_deviceR12bitmap_rgb32RK9rectangleii /home/notroot/trunk/src/mame/video/konamigx.c:761 #6 0x6e7b004 in _ZN14konamigx_state19konamigx_mixer_drawER13screen_deviceR12bitmap_rgb32RK9rectangleP9tilemap_tiS8_iiP12bitmap_ind16iP6GX_OBJPii /home/notroot/trunk/src/mame/video/konamigx.c:952 #7 0x6e78028 in _ZN14konamigx_state14konamigx_mixerER13screen_deviceR12bitmap_rgb32RK9rectangleP9tilemap_tiS8_iiP12bitmap_ind16i /home/notroot/trunk/src/mame/video/konamigx.c:719 #8 0x71288e7 in _ZN14mystwarr_state22screen_update_mystwarrER13screen_deviceR12bitmap_rgb32RK9rectangle /home/notroot/trunk/src/mame/video/mystwarr.c:337 #9 0x17f1c83a in _ZNK13delegate_baseIjR13screen_deviceR12bitmap_rgb32RK9rectangle8_noparamS7_EclES1_S3_S6_ /home/notroot/trunk/src/emu/delegate.h:542 #10 0x17f11525 in _ZN13screen_device14update_partialEi /home/notroot/trunk/src/emu/screen.c:603 #11 0x18173a3e in _ZN13video_manager21finish_screen_updatesEv /home/notroot/trunk/src/emu/video.c:658 #12 0x18172896 in _ZN13video_manager12frame_updateEb /home/notroot/trunk/src/emu/video.c:229 #13 0x17f0fe9a in _ZN13screen_device10vblank_endEv /home/notroot/trunk/src/emu/screen.c:835 #14 0x17f0dfa8 in _ZN13screen_device12device_timerER9emu_timerjiPv /home/notroot/trunk/src/emu/screen.c:403 #15 0x17efd58a in _ZN8device_t13timer_expiredER9emu_timerjiPv /home/notroot/trunk/src/emu/device.h:228 #16 0x17eee17b in _ZN16device_scheduler14execute_timersEv /home/notroot/trunk/src/emu/schedule.c:931 #17 0x17ee1769 in _ZN16device_scheduler9timesliceEv /home/notroot/trunk/src/emu/schedule.c:454 #18 0x17a8888b in _ZN15running_machine3runEb /home/notroot/trunk/src/emu/machine.c:412 #19 0x17a74411 in _Z12mame_executeR11emu_optionsR13osd_interface /home/notroot/trunk/src/emu/mame.c:190 #20 0x173eb8a6 in _ZN12cli_frontend7executeEiPPc /home/notroot/trunk/src/emu/clifront.c:255 #21 0x10708f01 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:378 #22 0x7f69794cbea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 #23 0x1e7a7bc in _start ??:? 0x6250000ca100 is located 0 bytes to the right of 8192-byte region [0x6250000c8100,0x6250000ca100) allocated by thread T0 here: #0 0x1e6c724 in __interceptor_malloc ??:? #1 0x18d943c9 in _Z13palette_allocjj /home/notroot/trunk/src/lib/util/palette.c:151 #2 0x17748d60 in _ZL16allocate_paletteR15running_machineP15palette_private /home/notroot/trunk/src/emu/emupal.c:596 #3 0x17747053 in _Z12palette_initR15running_machine /home/notroot/trunk/src/emu/emupal.c:142 #4 0x17a7e3b6 in _ZN15running_machine5startEv /home/notroot/trunk/src/emu/machine.c:259 #5 0x17a88439 in _ZN15running_machine3runEb /home/notroot/trunk/src/emu/machine.c:391 #6 0x17a74411 in _Z12mame_executeR11emu_optionsR13osd_interface /home/notroot/trunk/src/emu/mame.c:190 #7 0x173eb8a6 in _ZN12cli_frontend7executeEiPPc /home/notroot/trunk/src/emu/clifront.c:255 #8 0x10708f01 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:378 #9 0x7f69794cbea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 Shadow bytes around the buggy address: 0x0c4a800113d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800113e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800113f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80011400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80011410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a80011420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80011430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80011440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80011450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80011460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a80011470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==52564==ABORTING
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	mystwarr, mtlchamp and clones

Attached Files

No.09793 Firewave Senior Tester Sep 12, 2013, 15:57	The out-of-bounds access happens in tilemap_t::scanline_draw_opaque_rgb32() as seen above. The line in question is: dest[i] = clut[source[i]]; ASAN bails out when source[i] is 0x800.
No.09794 Firewave Senior Tester Sep 13, 2013, 16:16	It only overflows up to 0x080f, so it seems, that maybe somewhere in the chip implementation it draws too much.
No.09795 Firewave Senior Tester Sep 13, 2013, 16:29	Also happens with mtlchamp with a higher -str value.
No.10355 Firewave Senior Tester Mar 13, 2014, 02:45	Newer backtrace: mystwarr.c: mystwarru, mystwarrj, mystwarr, mystwarra ==2918==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500006d900 at pc 0x7f6abce bp 0x7fff1e5dfa50 sp 0x7fff1e5dfa48 READ of size 4 at 0x62500006d900 thread T0 #0 0x7f6abcd in rgb_t::operator unsigned int() const /home/notroot/trunk/src/lib/util/palette.h:58 #1 0x7f6abcd in tilemap_t::scanline_draw_opaque_rgb32(unsigned int, unsigned short const, int, rgb_t const, unsigned char, unsigned int) /home/notroot/trunk/src/emu/tilemap.c:234 #2 0x7f6abcd in void tilemap_t::draw_instance<bitmap_rgb32>(screen_device&, bitmap_rgb32&, tilemap_t::blit_parameters const&, int, int) /home/notroot/trunk/src/emu/tilemap.c:1202 #3 0x7f67f7a in void tilemap_t::draw_common<bitmap_rgb32>(screen_device&, bitmap_rgb32&, rectangle const&, unsigned int, unsigned char, unsigned char) /home/notroot/trunk/src/emu/tilemap.c:950 #4 0x2bc8009 in k056832_device::m_tilemap_draw(screen_device&, bitmap_rgb32&, rectangle const&, int, unsigned int, unsigned int) /home/notroot/trunk/src/mame/video/k054156_k054157_k056832.c:2602 #5 0x2876ec8 in konamigx_state::gx_draw_basic_tilemaps(screen_device&, bitmap_rgb32&, rectangle const&, int, int) /home/notroot/trunk/src/mame/video/konamigx.c:761 #6 0x2876c24 in konamigx_state::konamigx_mixer_draw(screen_device&, bitmap_rgb32&, rectangle const&, tilemap_t, int, tilemap_t, int, int, bitmap_ind16, int, GX_OBJ, int, int) /home/notroot/trunk/src/mame/video/konamigx.c:952 #7 0x2875ef3 in konamigx_state::konamigx_mixer(screen_device&, bitmap_rgb32&, rectangle const&, tilemap_t, int, tilemap_t, int, int, bitmap_ind16, int) /home/notroot/trunk/src/mame/video/konamigx.c:719 #8 0x29429df in mystwarr_state::screen_update_mystwarr(screen_device&, bitmap_rgb32&, rectangle const&) /home/notroot/trunk/src/mame/video/mystwarr.c:334 #9 0x7f30c39 in delegate_base<unsigned int, screen_device&, bitmap_rgb32&, rectangle const&, _noparam, _noparam>::operator()(screen_device&, bitmap_rgb32&, rectangle const&) const /home/notroot/trunk/src/emu/delegate.h:513 #10 0x7f30c39 in screen_device::update_partial(int) /home/notroot/trunk/src/emu/screen.c:629 #11 0x7fd47e0 in video_manager::finish_screen_updates() /home/notroot/trunk/src/emu/video.c:627 #12 0x7fd3e84 in video_manager::frame_update(bool) /home/notroot/trunk/src/emu/video.c:201 #13 0x7f305fa in screen_device::vblank_end() /home/notroot/trunk/src/emu/screen.c:862 #14 0x7f25f53 in device_t::timer_expired(emu_timer&, unsigned int, int, void) /home/notroot/trunk/src/emu/device.h:199 #15 0x7f25f53 in device_scheduler::execute_timers() /home/notroot/trunk/src/emu/schedule.c:903 #16 0x7e2c4b0 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:387 #17 0x7e23a27 in mame_execute(emu_options&, osd_interface&) /home/notroot/trunk/src/emu/mame.c:192 #18 0x7bda0e9 in cli_frontend::execute(int, char) /home/notroot/trunk/src/emu/clifront.c:233 #19 0x56dad59 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:380 #20 0x7f06f09a4de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260 #21 0x10b1e5c in _start (/home/notroot/trunk/mame64d+0x10b1e5c) 0x62500006d900 is located 0 bytes to the right of 8192-byte region [0x62500006b900,0x62500006d900) allocated by thread T0 here: #0 0x109c4b9 in operator new[](unsigned long) /home/ben/development/llvm/3.4/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:54 #1 0x82c5af0 in dynamic_array<rgb_t>::expand_internal(int) /home/notroot/trunk/src/lib/util/coretmpl.h:69 #2 0x82c5af0 in dynamic_array /home/notroot/trunk/src/lib/util/coretmpl.h:41 #3 0x82c5af0 in palette_t::palette_t(unsigned int, unsigned int) /home/notroot/trunk/src/lib/util/palette.c:222 #4 0x82c58ea in palette_t::alloc(unsigned int, unsigned int) /home/notroot/trunk/src/lib/util/palette.c:200 #5 0x7ca5f91 in palette_device::allocate_palette() /home/notroot/trunk/src/emu/emupal.c:537 #6 0x7ca524d in palette_device::device_start() /home/notroot/trunk/src/emu/emupal.c:421 #7 0x7c14553 in device_t::start() /home/notroot/trunk/src/emu/device.c:393 #8 0x7e2b98b in running_machine::start_all_devices() /home/notroot/trunk/src/emu/machine.c:1104 #9 0x7e287ef in running_machine::start() /home/notroot/trunk/src/emu/machine.c:290 #10 0x7e2c34e in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:358 #11 0x7e23a27 in mame_execute(emu_options&, osd_interface&) /home/notroot/trunk/src/emu/mame.c:192 #12 0x7bda0e9 in cli_frontend::execute(int, char*) /home/notroot/trunk/src/emu/clifront.c:233 #13 0x56dad59 in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:380 #14 0x7f06f09a4de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
No.10357 AWJ Developer Mar 13, 2014, 05:30	It's reading off the end of the palette. Unlike drawgfx, the tilemap system doesn't enforce color wraparound, and making it do so will probably break a ton of drivers that don't set up their gfx elements properly.
No.10684 M.A.S.H. Senior Tester May 9, 2014, 16:30	Fixed by AWJ (r30336)
No.10686 Firewave Senior Tester May 9, 2014, 21:04	Confirmed that the ASAN error is gone.