![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Up to [local] / ports / games / nxengine-evo / patches
Up to [local] / ports / games / nxengine-evo / patches
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.2, Thu Mar 5 07:46:41 2020 UTC (4 years, 8 months ago) by namtsui
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
Summary: move to latest commit
Revision 1.1 / (download) - annotate - [select for diffs], Wed Sep 18 00:14:37 2019 UTC (5 years, 2 months ago) by namtsui
Branch: MAIN
Summary: fix use after free
Trying to enter graphics, sound and controls menus would often (99%+)
cause this retpoline error and crash the game. Occassionally, it would
load the respective menu.
Thread 1 received signal SIGBUS, Bus error.
0x00000f8f792b9164 in __llvm_retpoline_r11 ()
(gdb) bt
#0 0x00000f8f792b9164 in __llvm_retpoline_r11 ()
#1 0xdfdfdfdfdfdfdfdf in ?? ()
#2 0x00000f8f7938e209 in Options::Dialog::RunInput (this=0xf925053a000)
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/pause/dialog.cpp:266
#3 0x00000f8f79393570 in options_tick ()
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/pause/options.cpp:118
#4 0x00000f8f792f7b61 in Game::tick (this=0xf8f793d4168 <game>)
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/game.cpp:227
#5 0x00000f8f792fcd8a in run_tick ()
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/main.cpp:133
#6 0x00000f8f792fcc86 in gameloop ()
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/main.cpp:207
#7 0x00000f8f792fd804 in main (argc=1, argv=0x7f7ffffeaf58)
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/main.cpp:431
The cause is a use after free. Namely, dialog.cpp tries to
1. (*item->activate)(item, dir);
then:
2. if (item->update)
(*item->update)(item);
In between steps 1 and 2, *item becomes freed by Dialog::Clear() delete fItems.at(i).
Item before step 1:
Thread 1 hit Breakpoint 2, Options::Dialog::RunInput (this=0x141d6ee5f00)
at /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/pause/dialog.cpp:263
263 in /usr/ports/pobj/nxengine-evo-2.6.4/nxengine-evo-2.6.4/src/pause/dialog.cpp
(gdb) print *item
$20 = {text = "Graphics", '\000' <repeats 91 times>,
suffix = '\000' <repeats 31 times>, righttext = '\000' <repeats 63 times>,
raligntext = '\000' <repeats 31 times>, type = 0, id = -1, update = 0x0,
activate = 0x13edee9eb60 <EnterGraphicsMenu(Options::ODItem*, int)>}
Item by step 2:
(gdb) print *item
$21 = {text = '\337' <repeats 99 times>, <incomplete sequence \337>,
suffix = '\337' <repeats 31 times>, <incomplete sequence \337>,
righttext = '\337' <repeats 63 times>, <incomplete sequence \337>,
raligntext = '\337' <repeats 31 times>, <incomplete sequence \337>,
type = -538976289, id = -538976289, update = 0xdfdfdfdfdfdfdfdf,
activate = 0xdfdfdfdfdfdfdfdf}
Note how update, which used to be a 0x0, becomes some garbage memory
address that is used. To fix, switch the order of the two steps.