| ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 07542 | Misc. | Critical (emulator) | Always | Jan 8, 2020, 10:08 | Nov 5, 2022, 08:50 |
| Tester | Firewave | View Status | Public | Platform | MAME (Self-compiled) |
| Assigned To | Resolution | Fixed | OS | Windows 10 (64-bit) | |
| Status [?] | Resolved | Driver | |||
| Version | 0.217 | Fixed in Version | Build | 32-bit | |
| Fixed in Git Commit | Github Pull Request # | ||||
| Summary |
 07542: tc2048: AddressSanitizer: heap-buffer-overflow |
||||
| Description |
=================================================================
==9976==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x22823c00 at pc 0x079a329f bp 0x006fbb38 sp 0x006fbb38
READ of size 1 at 0x22823c00 thread T0
#0 0x79a329e in spectrum_state::spectrum_UpdateScreenBitmap+0x18e (s:\dev\mame0217\mame.exe+0x72d329e)
#1 0x796d738 in spectrum_state::device_timer+0x98 (s:\dev\mame0217\mame.exe+0x729d738)
#2 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa)
#3 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894)
#4 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1)
#5 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
#6 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
#7 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
#8 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
#9 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
#10 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
#11 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#12 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
#13 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
#14 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)
Address 0x22823c00 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x72d329e) in spectrum_state::spectrum_UpdateScreenBitmap+0x18e
Shadow bytes around the buggy address:
0x34504730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34504740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34504750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34504760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34504770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x34504780:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34504790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x345047a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x345047b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x345047c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x345047d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9976==ABORTING
|
||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Github Commit | |||||
| Flags | |||||
| Regression Version | |||||
| Affected Sets / Systems | tc2048 | ||||
|
Attached Files
|
|||||
 No.17360
Firewave Senior Tester
Jan 14, 2020, 07:24
|
It uses MCFG_VIDEO_START_OVERRIDE(timex_state, spectrum_128 ) which starts accessing m_ram->pointer() at 5 << 14 so m_screen_location is a wild pointer (so wild - in my case it even contains the src location string). It appears the RAM for tc2048 of 48K is too small. Other machines using spectrum_128 have 128K. |
|---|---|
|
No.20726
Firewave Senior Tester
Nov 5, 2022, 08:50
|
No ASAN error reported with 0.249 on Linux. |