07544: to9: AddressSanitizer: heap-buffer-overflow

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
07544	Misc.	Critical (emulator)	Always	Jan 8, 2020, 10:11	Jul 2, 2022, 17:51

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	galibert	Resolution	Open	OS	Windows 10 (64-bit)
Status [?]	Assigned			Driver	thomson/thomson.cpp
Version	0.217	Fixed in Version		Build	32-bit
		Fixed in Git Commit		Github Pull Request #

Summary	07544: to9: AddressSanitizer: heap-buffer-overflow
Description	================================================================= ==23816==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x22bb083e at pc 0x0684b096 bp 0x006fb99c sp 0x006fb990 READ of size 1 at 0x22bb083e thread T0 #0 0x684b095 in handler_entry_read_memory_bank<0,0,1>::read+0xd5 (s:\dev\mame0217\mame.exe+0x617b095) #1 0x6bdec8a in handler_entry_read_dispatch<16,0,1,1>::read+0x7a (s:\dev\mame0217\mame.exe+0x650ec8a) #2 0x66560f0 in address_space_specific<0,1,1>::read_native+0x70 (s:\dev\mame0217\mame.exe+0x5f860f0) #3 0x664fe85 in address_space_specific<0,0,1>::read_byte+0x45 (s:\dev\mame0217\mame.exe+0x5f7fe85) #4 0x7cefe4d in c39_device::mi_banked::read+0x6d (s:\dev\mame0217\mame.exe+0x761fe4d) #5 0x7e0c82d in m6809_base_device::read_memory+0x7d (s:\dev\mame0217\mame.exe+0x773c82d) #6 0x7e0a6a9 in m6809_base_device::execute_one+0x3ab9 (s:\dev\mame0217\mame.exe+0x773a6a9) #7 0x7e0bcd6 in m6809_base_device::execute_run+0x26 (s:\dev\mame0217\mame.exe+0x773bcd6) #8 0x669d553 in device_scheduler::timeslice+0x683 (s:\dev\mame0217\mame.exe+0x5fcd553) #9 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95) #10 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc) #11 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a) #12 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104) #13 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259) #14 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be) #15 0xa598c9a in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #16 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #17 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #18 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x22bb083e is located 27 bytes to the right of 65571-byte region [0x22ba0800,0x22bb0823) allocated by thread T0 here: #0 0x1382e7d in operator new D:\agent\_work\6\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:99 #1 0x1388b51 in std::_Allocate<8,std::_Default_allocate_traits,0>+0x21 (s:\dev\mame0217\mame.exe+0xcb8b51) #2 0x65c19c4 in memory_region::memory_region+0xc4 (s:\dev\mame0217\mame.exe+0x5ef19c4) #3 0x666194b in memory_manager::region_alloc+0x25b (s:\dev\mame0217\mame.exe+0x5f9194b) #4 0x6747d03 in rom_load_manager::process_region_list+0x173 (s:\dev\mame0217\mame.exe+0x6077d03) #5 0x6741169 in rom_load_manager::rom_load_manager+0x819 (s:\dev\mame0217\mame.exe+0x6071169) #6 0x66acec7 in running_machine::start+0x447 (s:\dev\mame0217\mame.exe+0x5fdcec7) #7 0x66abb05 in running_machine::run+0x175 (s:\dev\mame0217\mame.exe+0x5fdbb05) #8 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc) #9 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a) #10 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104) #11 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259) #12 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be) #13 0xa598c9a in __scrt_common_main_seh d:\agent\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #14 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #15 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #16 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x617b095) in handler_entry_read_memory_bank<0,0,1>::read+0xd5 Shadow bytes around the buggy address: 0x345760b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x34576100: 00 00 00 00 03 fa fa[fa]fa fa fa fa fa fa fa fa 0x34576110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==23816==ABORTING
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	to9

Attached Files