Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07543 Misc. Critical (emulator) Always Jan 8, 2020, 10:10 Nov 2, 2022, 00:04
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS Windows 10 (64-bit)
Status [?] Acknowledged Driver
Version 0.217 Fixed in Version Build 32-bit
Fixed in Git Commit Github Pull Request #
Summary 07543: rungund, rungunad, rungunbd, rungunuad, rungunud, slmdunkjd: AddressSanitizer: heap-buffer-overflow with -aviwrite
Description
=================================================================
==15124==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x212ea520 at pc 0x06834ad1 bp 0x004fad0c sp 0x004fad0c
READ of size 4 at 0x212ea520 thread T0
    #0 0x6834ad0 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_palette16_none+0x200 (s:\dev\mame0217\mame.exe+0x6164ad0)
    #1 0x68421b3 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::setup_and_draw_textured_quad+0x6f3 (s:\dev\mame0217\mame.exe+0x61721b3)
    #2 0x6830956 in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_primitives+0x136 (s:\dev\mame0217\mame.exe+0x6160956)
    #3 0x682f69a in video_manager::create_snapshot_bitmap+0x4ea (s:\dev\mame0217\mame.exe+0x615f69a)
    #4 0x683f7d1 in video_manager::record_frame+0x201 (s:\dev\mame0217\mame.exe+0x616f7d1)
    #5 0x683c754 in video_manager::finish_screen_updates+0x514 (s:\dev\mame0217\mame.exe+0x616c754)
    #6 0x683cb10 in video_manager::frame_update+0x50 (s:\dev\mame0217\mame.exe+0x616cb10)
    #7 0x63a9878 in screen_device::vblank_begin+0x88 (s:\dev\mame0217\mame.exe+0x5cd9878)
    #8 0x63a1ef4 in screen_device::device_timer+0x24 (s:\dev\mame0217\mame.exe+0x5cd1ef4)
    #9 0x669a1aa in emu_timer::device_timer_expired+0x7a (s:\dev\mame0217\mame.exe+0x5fca1aa)
    #10 0x669a894 in device_scheduler::execute_timers+0x1a4 (s:\dev\mame0217\mame.exe+0x5fca894)
    #11 0x669d9d1 in device_scheduler::timeslice+0xb01 (s:\dev\mame0217\mame.exe+0x5fcd9d1)
    #12 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
    #13 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #14 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #15 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #16 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #17 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #18 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #19 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #20 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #21 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

Address 0x212ea520 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x6164ad0) in software_renderer<unsigned int,0,0,0,16,8,0,0,0>::draw_quad_palette16_none+0x200
Shadow bytes around the buggy address:
  0x3425d450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3425d4a0: 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00
  0x3425d4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3425d4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==15124==ABORTING
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems rungund, rungunad, rungunbd, rungunuad, rungunud, slmdunkjd
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
3
User avatar
No.17358
Firewave
Senior Tester
Jan 12, 2020, 12:42
Using -video d3d it errors out much earlier

=================================================================
==18168==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x41517120 at pc 0x09de9af9 bp 0x161bacdc sp 0x161bacd0
READ of size 4 at 0x41517120 thread T0
==18168==WARNING: Failed to use and restart external symbolizer!
    #0 0x9de9af8 in texture_info::copyline_palette16 s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224
    #1 0x9df34d0 in texture_info::set_data s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2442
    #2 0x9de5e6c in texture_info::texture_info s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2111
    #3 0x9df5683 in d3d_texture_manager::update_textures s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:605
    #4 0x9de8366 in renderer_d3d9::begin_frame s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:667
    #5 0x9ded34b in renderer_d3d9::draw s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:239
    #6 0x9dcdd4a in win_window_info::draw_video_contents s:\dev\mame0217\src\osd\windows\window.cpp:1437
    #7 0x9dd0e3b in win_window_info::video_window_proc s:\dev\mame0217\src\osd\windows\window.cpp:1360
    #8 0x9dd7216 in winwindow_video_window_proc_ui s:\dev\mame0217\src\osd\windows\winmenu.cpp:23
    #9 0x767846ca in AddClipboardFormatListener+0x4a (C:\WINDOWS\System32\USER32.dll+0x69e446ca)
    #10 0x767660bb in CallWindowProcW+0xb2b (C:\WINDOWS\System32\USER32.dll+0x69e260bb)
    #11 0x7676586c in CallWindowProcW+0x2dc (C:\WINDOWS\System32\USER32.dll+0x69e2586c)
    #12 0x76765532 in SendMessageW+0x122 (C:\WINDOWS\System32\USER32.dll+0x69e25532)
    #13 0x9dcfe05 in win_window_info::update s:\dev\mame0217\src\osd\windows\window.cpp:922
    #14 0x9e0717a in windows_osd_interface::update s:\dev\mame0217\src\osd\windows\video.cpp:94
    #15 0x5df7e1c in video_manager::frame_update s:\dev\mame0217\src\emu\video.cpp:238
    #16 0x596a652 in screen_device::vblank_begin s:\dev\mame0217\src\emu\screen.cpp:1660
    #17 0x5962975 in screen_device::device_timer s:\dev\mame0217\src\emu\screen.cpp:959
    #18 0x5c586dd in emu_timer::device_timer_expired s:\dev\mame0217\src\emu\schedule.cpp:317
    #19 0x5c58d7c in device_scheduler::execute_timers s:\dev\mame0217\src\emu\schedule.cpp:907
    #20 0x5c5bdfe in device_scheduler::timeslice s:\dev\mame0217\src\emu\schedule.cpp:544
    #21 0x5c6a220 in running_machine::run s:\dev\mame0217\src\emu\machine.cpp:372
    #22 0x6b0b15c in mame_machine_manager::execute+0x52c (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9b15c)
    #23 0x6b2d54a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6ebd54a)
    #24 0x6b252d4 in cli_frontend::execute+0x174 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6eb52d4)
    #25 0x6b0c0b9 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\build\projects\windows\mame\vs2019\..\..\..\..\..\mame.exe+0x6e9c0b9)
    #26 0x9dd57fe in main s:\dev\mame0217\src\osd\windows\winmain.cpp:323
    #27 0x9b78e39 in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #28 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #29 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #30 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

Address 0x41517120 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow s:\dev\mame0217\src\osd\modules\render\drawd3d.cpp:2224 in texture_info::copyline_palette16
Shadow bytes around the buggy address:
  0x382a2dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x382a2e20: 00 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00
  0x382a2e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x382a2e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
User avatar
No.17359
Firewave
Senior Tester
Jan 13, 2020, 17:44
Looks like the palette is accessed out of bounds in texture_info::copyline_palette16():
Address 0x41517120 is a wild pointer.
+		palette	0x41514120 {m_data=4278190080 }	const rgb_t *
+		src	0x2be678b0 {3072}	const unsigned short *
User avatar
No.20683
Firewave
Senior Tester
Nov 2, 2022, 00:04
Also happens when taking a snapshot on Linux with 0.249:

=================================================================
==30538==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000157100 at pc 0x7f66e0e2cb48 bp 0x7ffff0082d20 sp 0x7ffff0082d18
READ of size 4 at 0x621000157100 thread T0
    #0 0x7f66e0e2cb47 in operator unsigned int /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47
    #1 0x7f66e0e2cb47 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::get_texel_palette16(render_texinfo const&, int, int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:148:16
    #2 0x7f66e0e104e6 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_quad_palette16_none(render_primitive const&, unsigned int*, unsigned int, software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::quad_setup_data const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:684:22
    #3 0x7f66e0e0df43 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::setup_and_draw_textured_quad(render_primitive const&, unsigned int*, int, int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1782:5
    #4 0x7f66e0e07802 in software_renderer<unsigned int, 0, 0, 0, 16, 8, 0, false, true>::draw_primitives(render_primitive_list const&, void*, unsigned int, unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/rendersw.hxx:1867:7
    #5 0x7f66e0e007c8 in video_manager::create_snapshot_bitmap(screen_device*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1046:3
    #6 0x7f66e0dff568 in video_manager::save_snapshot(screen_device*, util::core_file&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:329:2
    #7 0x7f66e0dfde55 in video_manager::recompute_speed(attotime const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:1005:5
    #8 0x7f66e0dfb0e8 in video_manager::frame_update(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/video.cpp:261:4
    #9 0x7f66e0cf47c8 in screen_device::vblank_begin(int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/screen.cpp:1646:21
    #10 0x7f66e0cdd304 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
    #11 0x7f66e0cdd304 in device_scheduler::execute_timers() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:951:5
    #12 0x7f66e0cd8858 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:505:2
    #13 0x7f66e0b704a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
    #14 0x7f66e3cd6f7f in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #15 0x7f66e3ecb8d6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #16 0x7f66e3ecf41f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #17 0x7f66e3cdbd5f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #18 0x7f66e0eb258b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #19 0x7f669f3b9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0x7f669f3b92bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #21 0x7f66be63c260 in _start (/mnt/s/GitHub/mame/mame+0x1d397260) (BuildId: 603d3d1c300651feb2a8e3ac6e9cb58d3f85e77b)

Address 0x621000157100 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/palette.h:61:47 in operator unsigned int
Shadow bytes around the buggy address:
  0x0c4280022dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280022e20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280022e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30538==ABORTING