Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07539 Misc. Critical (emulator) Always Jan 7, 2020, 17:51 Nov 5, 2022, 08:58
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Fixed OS Windows 10/11 (64-bit)
Status [?] Resolved Driver
Version 0.217 Fixed in Version Build 32-bit
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 07539: ccmk5: AddressSanitizer: heap-buffer-overflow with -aviwrite
Description
=================================================================
==20452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x24ac3040 at pc 0x0683ceb5 bp 0x16bbb2fc sp 0x16bbb2f0
READ of size 4 at 0x24ac3040 thread T0
    #0 0x683ceb4 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::get_texel_argb32+0xa4 (s:\dev\mame0217\mame.exe+0x616ceb4)
    #1 0x68360fd in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_rgb32+0x1dd (s:\dev\mame0217\mame.exe+0x61660fd)
    #2 0x6842172 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::setup_and_draw_textured_quad+0x6b2 (s:\dev\mame0217\mame.exe+0x6172172)
    #3 0x6830956 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_primitives+0x136 (s:\dev\mame0217\mame.exe+0x6160956)
    #4 0x682f69a in video_manager::create_snapshot_bitmap+0x4ea (s:\dev\mame0217\mame.exe+0x615f69a)
    #5 0x683f7d1 in video_manager::record_frame+0x201 (s:\dev\mame0217\mame.exe+0x616f7d1)
    #6 0x683c754 in video_manager::finish_screen_updates+0x514 (s:\dev\mame0217\mame.exe+0x616c754)
    #7 0x683cb10 in video_manager::frame_update+0x50 (s:\dev\mame0217\mame.exe+0x616cb10)
    #8 0x63a9878 in screen_device::vblank_begin+0x88 (s:\dev\mame0217\mame.exe+0x5cd9878)
    #9 0x63a1ef4 in screen_device::device_timer+0x24 (s:\dev\mame0217\mame.exe+0x5cd1ef4)
    #10 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa)
    #11 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894)
    #12 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1)
    #13 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
    #14 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #15 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #16 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #17 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #18 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #19 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #20 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #21 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #22 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x24ac3040 is located 0 bytes to the right of 4069440-byte region [0x246e1800,0x24ac3040)
allocated by thread T0 here:
    #0 0x138326d in operator new[] D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:102
    #1 0x2385b7b in bitmap_t::allocate+0x19b (s:\dev\mame0217\mame.exe+0x1cb5b7b)
    #2 0x63a6237 in screen_device::register_screen_bitmap+0x187 (s:\dev\mame0217\mame.exe+0x5cd6237)
    #3 0x63a16e3 in screen_device::device_start+0x173 (s:\dev\mame0217\mame.exe+0x5cd16e3)
    #4 0x62ff127 in device_t::start+0x97 (s:\dev\mame0217\mame.exe+0x5c2f127)
    #5 0x66ad879 in running_machine::start_all_devices+0x489 (s:\dev\mame0217\mame.exe+0x5fdd879)
    #6 0x66ad287 in running_machine::start+0x807 (s:\dev\mame0217\mame.exe+0x5fdd287)
    #7 0x66abb05 in running_machine::run+0x175 (s:\dev\mame0217\mame.exe+0x5fdbb05)
    #8 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #9 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #10 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #11 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #12 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #13 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #14 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #15 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #16 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x616ceb4) in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::get_texel_argb32+0xa4
Shadow bytes around the buggy address:
  0x349585b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x349585c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x349585d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x349585e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x349585f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x34958600: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x34958610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34958620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34958630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34958640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34958650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20452==ABORTING
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems ccmk5
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
4
User avatar
No.17343
hap
Developer
Jan 9, 2020, 15:38
Do you get the same thing with this?
mame pacman -snapsize 2178x2118 -aviwrite a.avi
User avatar
No.17345
Firewave
Senior Tester
Jan 9, 2020, 21:35
No. That gives no errors but produces a massive AVI :D
User avatar
No.17357
Firewave
Senior Tester
Jan 12, 2020, 00:51
In draw_quad_rgb32() the prim.texture it reads from is 942x1080, but it wants to read x from 1127 to 2070 which is 943 which is obviously too much. When the error occurs it is x = 2069. The bounds of the primitive are actually
		x0	1127.49377	float
		y0	116.057442	float
		x1	2069.65186	float
		y1	1196.00000	float
so startx is rounded down and endx is rounded up.
User avatar
No.20729
Firewave
Senior Tester
Nov 5, 2022, 08:58
No ASAN error with 0.249 on Linux.