yakkety ioquake3 SEGV in variable handling code

Bug #1653007 reported by Chad Miller on 2016-12-28
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ioquake3 (Ubuntu)
Undecided
Unassigned

Bug Description

Problem exists in 1.36+u20160616+dfsg1-1

It does not exist in 1.36+u20160122+dfsg1-1

It's not specific to the sv_fps variable. Others will cause it too. sv_fps is merely a very early one to cause a crash.

It's a pointer to a structure. It goes from

value NULL,
to 0x5555561a1518
to 0x555500000015
to 0xffffffff00000015
to 0x100000015
and then crashes on deref later.

(gdb) watch sv_fps

Hardware watchpoint 1: sv_fps

(gdb) r

Starting program: ioquake3-1.36+u20160616+dfsg1/debian/ioquake3/usr/lib/ioquake3/ioquake3 ioquake3 +set com_basegame baseoa +set fs_basepath /usr/lib/openarena +set com_homepath .openarena +set com_legacyprotocol 71 +set com_protocol 71 +set sv_master1 dpmaster.deathmask.net +set cl_motd 0

Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x0
New value = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>
SV_Init () at code/server/sv_init.c:673
673 sv_timeout = Cvar_Get ("sv_timeout", "200", CVAR_TEMP );

(gdb) disp sv_fps
1: sv_fps = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>

(gdb) c

Continuing.

Loading DLL file /usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so instead.
Loading DLL file: /usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so
Sys_LoadGameDll(/usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so) found vmMain function at 0x7fffdce92314
------- Game Initialization -------
gamename: baseoa
gamedate: Jun 27 2016
tty]
Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>
New value = (cvar_t *) 0x555500000015
Cvar_Register (vmCvar=0x555555d34a68 <sv_fps>, varName=0x7fffdcf12242 "sv_fps", defaultValue=0x7fffdcf12303 "20", flags=9) at code/qcommon/cvar.c:1346
1346 vmCvar->modificationCount = -1;
1: sv_fps = (cvar_t *) 0x555500000015

(gdb) n

Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x555500000015
New value = (cvar_t *) 0xffffffff00000015
Cvar_Register (vmCvar=0x555555d34a68 <sv_fps>, varName=0x7fffdcf12242 "sv_fps", defaultValue=0x7fffdcf12303 "20", flags=9) at code/qcommon/cvar.c:1347
1347 Cvar_Update( vmCvar );
1: sv_fps = (cvar_t *) 0xffffffff00000015

(gdb) n

Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0xffffffff00000015
New value = (cvar_t *) 0x100000015
Cvar_Update (vmCvar=0x555555d34a68 <sv_fps>) at code/qcommon/cvar.c:1375
1375 if ( strlen(cv->string)+1 > MAX_CVAR_VALUE_STRING )
1: sv_fps = (cvar_t *) 0x100000015

(gdb) c

Continuing.

Thread 1 "ioquake3" received signal SIGSEGV, Segmentation fault.
0x00005555555d23ce in SV_Frame (msec=11) at code/server/sv_main.c:1082
1082 if ( sv_fps->integer < 1 ) {
1: sv_fps = (cvar_t *) 0x100000015

Chad Miller (cmiller) on 2016-12-29
Changed in ioquake3 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers