widelands

heap-use-after-free in in Widelands::Ship::set_fleet while loading savegame

Bug #1798024 reported by GunChleoc on 2018-10-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	widelands	Fix Released	High	Unassigned	widelands build20-rc1

Bug Description

I am getting a heap-use-after-free while loading the savegame from

https://bugs.launchpad.net/widelands/+bug/1796364/comments/3

==10617==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120005b6180 at pc 0x55d07a0e91bd bp 0x7ffc933e2e20 sp 0x7ffc933e2e10
WRITE of size 8 at 0x6120005b6180 thread T0
    #0 0x55d07a0e91bc in Widelands::Ship::set_fleet(Widelands::Fleet*) widelands/trunk/src/logic/map_objects/tribes/ship.cc:203
    #1 0x55d07a9b3a17 in Widelands::Fleet::cleanup(Widelands::EditorGameBase&) widelands/trunk/src/economy/fleet.cc:261
    #2 0x55d07a056365 in Widelands::MapObject::remove(Widelands::EditorGameBase&) widelands/trunk/src/logic/map_objects/map_object.cc:427
    #3 0x55d07a052ae4 in Widelands::ObjectManager::cleanup(Widelands::EditorGameBase&) widelands/trunk/src/logic/map_objects/map_object.cc:155
    #4 0x55d079cb54c1 in Widelands::EditorGameBase::cleanup_objects() widelands/trunk/src/logic/editor_game_base.h:168
    #5 0x55d079f2c71f in Widelands::EditorGameBase::cleanup_for_load() widelands/trunk/src/logic/editor_game_base.cc:409
    #6 0x55d079f4ebb2 in Widelands::Game::cleanup_for_load() widelands/trunk/src/logic/game.cc:578
    #7 0x55d07a00a8d7 in Widelands::ReplayWriter::ReplayWriter(Widelands::Game&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/replay.cc:223
    #8 0x55d079f4e16c in Widelands::Game::run(UI::ProgressWindow*, Widelands::Game::StartGameType, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/game.cc:507
    #9 0x55d079f4c85e in Widelands::Game::run_load_game(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/game.cc:386
    #10 0x55d079c595cd in WLApplication::load_game() widelands/trunk/src/wlapplication.cc:1348
    #11 0x55d079c56f46 in WLApplication::mainmenu_singleplayer() widelands/trunk/src/wlapplication.cc:1178
    #12 0x55d079c5608c in WLApplication::mainmenu() widelands/trunk/src/wlapplication.cc:1079
    #13 0x55d079c4d41b in WLApplication::run() widelands/trunk/src/wlapplication.cc:451
    #14 0x55d079c4998e in main widelands/trunk/src/main.cc:44
    #15 0x7f5c316afb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #16 0x55d079c49809 in _start (widelands/trunk/widelands+0xd66809)

0x6120005b6180 is located 192 bytes inside of 288-byte region [0x6120005b60c0,0x6120005b61e0)
freed by thread T0 here:
    #0 0x7f5c3427b2d0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
    #1 0x55d07a0e894b in Widelands::Ship::~Ship() widelands/trunk/src/logic/map_objects/tribes/ship.cc:135
    #2 0x55d07a0563c4 in Widelands::MapObject::remove(Widelands::EditorGameBase&) widelands/trunk/src/logic/map_objects/map_object.cc:428
    #3 0x55d07a052ae4 in Widelands::ObjectManager::cleanup(Widelands::EditorGameBase&) widelands/trunk/src/logic/map_objects/map_object.cc:155
    #4 0x55d079cb54c1 in Widelands::EditorGameBase::cleanup_objects() widelands/trunk/src/logic/editor_game_base.h:168
    #5 0x55d079f2c71f in Widelands::EditorGameBase::cleanup_for_load() widelands/trunk/src/logic/editor_game_base.cc:409
    #6 0x55d079f4ebb2 in Widelands::Game::cleanup_for_load() widelands/trunk/src/logic/game.cc:578
    #7 0x55d07a00a8d7 in Widelands::ReplayWriter::ReplayWriter(Widelands::Game&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/replay.cc:223
    #8 0x55d079f4e16c in Widelands::Game::run(UI::ProgressWindow*, Widelands::Game::StartGameType, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/game.cc:507
    #9 0x55d079f4c85e in Widelands::Game::run_load_game(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/game.cc:386
    #10 0x55d079c595cd in WLApplication::load_game() widelands/trunk/src/wlapplication.cc:1348
    #11 0x55d079c56f46 in WLApplication::mainmenu_singleplayer() widelands/trunk/src/wlapplication.cc:1178
    #12 0x55d079c5608c in WLApplication::mainmenu() widelands/trunk/src/wlapplication.cc:1079
    #13 0x55d079c4d41b in WLApplication::run() widelands/trunk/src/wlapplication.cc:451
    #14 0x55d079c4998e in main widelands/trunk/src/main.cc:44
    #15 0x7f5c316afb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7f5c3427a458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x55d07a0e8706 in Widelands::ShipDescr::create_object() const widelands/trunk/src/logic/map_objects/tribes/ship.cc:127
    #2 0x55d07a0f653b in Widelands::Ship::load(Widelands::EditorGameBase&, Widelands::MapObjectLoader&, FileRead&) widelands/trunk/src/logic/map_objects/tribes/ship.cc:1229
    #3 0x55d07a7a8ecf in Widelands::MapObjectPacket::read(FileSystem&, Widelands::EditorGameBase&, Widelands::MapObjectLoader&, WorldLegacyLookupTable const&, TribesLegacyLookupTable const&) widelands/trunk/src/map_io/map_object_packet.cc:92
    #4 0x55d07a254c37 in Widelands::WidelandsMapLoader::load_map_complete(Widelands::EditorGameBase&, Widelands::MapLoader::LoadType) widelands/trunk/src/map_io/widelands_map_loader.cc:165
    #5 0x55d07aa0469e in Widelands::GameMapPacket::read_complete(Widelands::Game&) widelands/trunk/src/game_io/game_map_packet.cc:54
    #6 0x55d07aa00092 in Widelands::GameLoader::load_game(bool) widelands/trunk/src/game_io/game_loader.cc:104
    #7 0x55d079f4c6d8 in Widelands::Game::run_load_game(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) widelands/trunk/src/logic/game.cc:378
    #8 0x55d079c595cd in WLApplication::load_game() widelands/trunk/src/wlapplication.cc:1348
    #9 0x55d079c56f46 in WLApplication::mainmenu_singleplayer() widelands/trunk/src/wlapplication.cc:1178
    #10 0x55d079c5608c in WLApplication::mainmenu() widelands/trunk/src/wlapplication.cc:1079
    #11 0x55d079c4d41b in WLApplication::run() widelands/trunk/src/wlapplication.cc:451
    #12 0x55d079c4998e in main widelands/trunk/src/main.cc:44
    #13 0x7f5c316afb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free widelands/trunk/src/logic/map_objects/tribes/ship.cc:203 in Widelands::Ship::set_fleet(Widelands::Fleet*)

Tags:

Related branches

lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free

Merged into lp:widelands at revision 8898

Notabilis: Approve (diff, test) on 2018-10-23

GunChleoc (gunchleoc) on 2018-10-16

Changed in widelands:
assignee:	nobody → GunChleoc (gunchleoc)
status:	New → In Progress

GunChleoc (gunchleoc) on 2018-10-25

Changed in widelands:
status:	In Progress → Fix Committed
assignee:	GunChleoc (gunchleoc) → nobody

Revision history for this message

GunChleoc (gunchleoc) wrote on 2019-04-22:

Fixed in build20-rc1

Changed in widelands:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.