Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
07544 Misc. Critical (emulator) Always Jan 8, 2020, 10:11 Jul 2, 2022, 17:51
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To galibert Resolution Open OS Windows 10 (64-bit)
Status [?] Assigned Driver
Version 0.217 Fixed in Version Build 32-bit
Fixed in Git Commit Github Pull Request #
Summary MESS-specific 07544: to9: AddressSanitizer: heap-buffer-overflow
Description
=================================================================
==23816==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x22bb083e at pc 0x0684b096 bp 0x006fb99c sp 0x006fb990
READ of size 1 at 0x22bb083e thread T0
    #0 0x684b095 in handler_entry_read_memory_bank<0,0,1>::read+0xd5 (s:\dev\mame0217\mame.exe+0x617b095)
    #1 0x6bdec8a in handler_entry_read_dispatch<16,0,1,1>::read+0x7a (s:\dev\mame0217\mame.exe+0x650ec8a)
    #2 0x66560f0 in address_space_specific<0,1,1>::read_native+0x70 (s:\dev\mame0217\mame.exe+0x5f860f0)
    #3 0x664fe85 in address_space_specific<0,0,1>::read_byte+0x45 (s:\dev\mame0217\mame.exe+0x5f7fe85)
    #4 0x7cefe4d in c39_device::mi_banked::read+0x6d (s:\dev\mame0217\mame.exe+0x761fe4d)
    #5 0x7e0c82d in m6809_base_device::read_memory+0x7d (s:\dev\mame0217\mame.exe+0x773c82d)
    #6 0x7e0a6a9 in m6809_base_device::execute_one+0x3ab9 (s:\dev\mame0217\mame.exe+0x773a6a9)
    #7 0x7e0bcd6 in m6809_base_device::execute_run+0x26 (s:\dev\mame0217\mame.exe+0x773bcd6)
    #8 0x669d553 in device_scheduler::timeslice+0x683 (s:\dev\mame0217\mame.exe+0x5fcd553)
    #9 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95)
    #10 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #11 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #12 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #13 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #14 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #15 0xa598c9a in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #16 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #17 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #18 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

0x22bb083e is located 27 bytes to the right of 65571-byte region [0x22ba0800,0x22bb0823)
allocated by thread T0 here:
    #0 0x1382e7d in operator new D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:99
    #1 0x1388b51 in std::_Allocate<8,std::_Default_allocate_traits,0>+0x21 (s:\dev\mame0217\mame.exe+0xcb8b51)
    #2 0x65c19c4 in memory_region::memory_region+0xc4 (s:\dev\mame0217\mame.exe+0x5ef19c4)
    #3 0x666194b in memory_manager::region_alloc+0x25b (s:\dev\mame0217\mame.exe+0x5f9194b)
    #4 0x6747d03 in rom_load_manager::process_region_list+0x173 (s:\dev\mame0217\mame.exe+0x6077d03)
    #5 0x6741169 in rom_load_manager::rom_load_manager+0x819 (s:\dev\mame0217\mame.exe+0x6071169)
    #6 0x66acec7 in running_machine::start+0x447 (s:\dev\mame0217\mame.exe+0x5fdcec7)
    #7 0x66abb05 in running_machine::run+0x175 (s:\dev\mame0217\mame.exe+0x5fdbb05)
    #8 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc)
    #9 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a)
    #10 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104)
    #11 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259)
    #12 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be)
    #13 0xa598c9a in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #14 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358)
    #15 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73)
    #16 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43)

SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x617b095) in handler_entry_read_memory_bank<0,0,1>::read+0xd5
Shadow bytes around the buggy address:
  0x345760b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x345760c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x345760d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x345760e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x345760f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x34576100: 00 00 00 00 03 fa fa[fa]fa fa fa fa fa fa fa fa
  0x34576110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34576120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34576130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34576140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x34576150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==23816==ABORTING
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems to9
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
0
There are no notes attached to this issue.