Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GEN][ZH] Fix heap-buffer-overflow in getListboxBottomEntry #462

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[GEN][ZH] Fix heap-buffer-overflow in getListboxBottomEntry #462

wants to merge 2 commits into from

Conversation

xezon
Copy link

@xezon xezon commented Mar 20, 2025

Checking entry at the bottom for smaller than 0 is a bit too late...

==24520==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04f000f4 at pc 0x012666fa bp 0x00d3ea98 sp 0x00d3ea8c
READ of size 4 at 0x04f000f4 thread T0
==24520==WARNING: Failed to use and restart external symbolizer!
    #0 0x012666f9 in getListboxBottomEntry D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetListBox.cpp:208
    #1 0x0125ff80 in GadgetListBoxAddEntryText D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetListBox.cpp:2225
    #2 0x01286f5f in GadgetComboBoxSystem D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetComboBox.cpp:511
    #3 0x01070abf in GameWindowManager::winSendSystemMsg D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManager.cpp:709
    #4 0x012852c8 in GadgetComboBoxAddEntry D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetComboBox.cpp:930
    #5 0x01597ab7 in PopulateStartingCashComboBox D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameNetwork\GUIUtil.cpp:345
    #6 0x01279814 in InitSkirmishGameGadgets D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\SkirmishGameOptionsMenu.cpp:1101
    #7 0x0127a8dd in SkirmishGameOptionsMenuInit D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\SkirmishGameOptionsMenu.cpp:1334
    #8 0x012f8456 in Shell::doPush D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:624
    #9 0x012f9dca in Shell::shutdownComplete D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:687
    #10 0x014797e3 in shutdownComplete D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\MainMenu.cpp:369
    #11 0x0147876e in MainMenuUpdate D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\MainMenu.cpp:966
    #12 0x012fa26f in Shell::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:196
    #13 0x0104e668 in GameClient::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GameClient.cpp:769
    #14 0x00e443cf in GameEngine::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameEngine.cpp:770
    #15 0x0161d07d in Win32GameEngine::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngineDevice\Source\Win32Device\Common\Win32GameEngine.cpp:90
    #16 0x00e41aea in GameEngine::execute D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameEngine.cpp:845
    #17 0x00e2fc45 in GameMain D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameMain.cpp:44
    #18 0x00e28e77 in WinMain D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Main\WinMain.cpp:1067
    #19 0x01b19812 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #20 0x777efcc8 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b81fcc8)
    #21 0x77a382ad in RtlGetAppContainerNamedObjectPath+0x11d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e82ad)
    #22 0x77a3827d in RtlGetAppContainerNamedObjectPath+0xed (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e827d)

0x04f000f4 is located 12 bytes before 120-byte region [0x04f00100,0x04f00178)
allocated by thread T0 here:
    #0 0x565be7ed in malloc D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cpp:134
    #1 0x00e2ae22 in DynamicMemoryAllocator::allocateBytesImplementation D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\System\GameMemory.cpp:2653
    #2 0x00e2a843 in operator new[] D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\System\GameMemory.cpp:3429
    #3 0x01262f53 in GadgetListBoxSetListLength D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetListBox.cpp:2496
    #4 0x0106a8e0 in GameWindowManager::gogoGadgetListBox D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManager.cpp:2189
    #5 0x0106a4c7 in GameWindowManager::gogoGadgetComboBox D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManager.cpp:2536
    #6 0x01292011 in createGadget D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:1868
    #7 0x01293253 in createWindow D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2083
    #8 0x012951f5 in parseWindow D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2455
    #9 0x01293aa8 in parseChildWindows D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2234
    #10 0x012950e5 in parseWindow D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2475
    #11 0x01293aa8 in parseChildWindows D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2234
    #12 0x012950e5 in parseWindow D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2475
    #13 0x01296290 in GameWindowManager::winCreateFromScript D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2869
    #14 0x00f2ee58 in WindowLayout::load D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\WindowLayout.cpp:216
    #15 0x0129638b in GameWindowManager::winCreateLayout D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GameWindowManagerScript.cpp:2660
    #16 0x012f83df in Shell::doPush D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:614
    #17 0x012f9dca in Shell::shutdownComplete D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:687
    #18 0x014797e3 in shutdownComplete D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\MainMenu.cpp:369
    #19 0x0147876e in MainMenuUpdate D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\GUICallbacks\Menus\MainMenu.cpp:966
    #20 0x012fa26f in Shell::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Shell\Shell.cpp:196
    #21 0x0104e668 in GameClient::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GameClient.cpp:769
    #22 0x00e443cf in GameEngine::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameEngine.cpp:770
    #23 0x0161d07d in Win32GameEngine::update D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngineDevice\Source\Win32Device\Common\Win32GameEngine.cpp:90
    #24 0x00e41aea in GameEngine::execute D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameEngine.cpp:845
    #25 0x00e2fc45 in GameMain D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\Common\GameMain.cpp:44
    #26 0x00e28e77 in WinMain D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\Main\WinMain.cpp:1067
    #27 0x01b19812 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

SUMMARY: AddressSanitizer: heap-buffer-overflow D:\Projects\TheSuperHackers\GeneralsGameCode\GeneralsMD\Code\GameEngine\Source\GameClient\GUI\Gadget\GadgetListBox.cpp:208 in getListboxBottomEntry
Shadow bytes around the buggy address:
  0x04effe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04effe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04efff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04efff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04f00000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x04f00080: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa[fa]fa
  0x04f00100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x04f00180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x04f00200: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
  0x04f00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x04f00300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Address Sanitizer Error: Heap buffer overflow

@xezon xezon added Bug Something is not working right Minor Severity: Minor < Major < Critical < Blocker ZeroHour Relates to Zero Hour labels Mar 20, 2025
@Mauller Mauller force-pushed the xezon/fix-memory-getlistboxbottomentry branch from 1feafe4 to a6b2292 Compare March 30, 2025 14:26
@Mauller Mauller changed the title Fix: heap-buffer-overflow in getListboxBottomEntry [GEN][ZH] Fix: heap-buffer-overflow in getListboxBottomEntry Mar 30, 2025
@Mauller
Copy link

Mauller commented Mar 30, 2025

updated commit naming and added generals version of the fix.

@xezon xezon changed the title [GEN][ZH] Fix: heap-buffer-overflow in getListboxBottomEntry [GEN][ZH] Fix heap-buffer-overflow in getListboxBottomEntry Mar 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mauller Mauller Mauller approved these changes

Assignees
No one assigned
Labels
Bug Something is not working right Minor Severity: Minor < Major < Critical < Blocker ZeroHour Relates to Zero Hour
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xezon @Mauller