Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out of bounds array access to map cache in cata_tiles::draw_critter_above #73754

Closed
mischief opened this issue May 14, 2024 · 3 comments · Fixed by #73756
Closed

out of bounds array access to map cache in cata_tiles::draw_critter_above #73754

mischief opened this issue May 14, 2024 · 3 comments · Fixed by #73756
Labels
(S1 - Need confirmation) Report waiting on confirmation of reproducibility

Comments

@mischief
Copy link
Contributor

Describe the bug

#0  0x00007f4e7d48d08c in ?? () from /usr/lib64/libc.so.6
#1  0x00007f4e7d43f112 in raise () from /usr/lib64/libc.so.6
#2  0x00007f4e7d4284f2 in abort () from /usr/lib64/libc.so.6
#3  0x00007f4e7d6d69e9 in std::__glibcxx_assert_fail (file=file@entry=0x560ee8f1ba80 "/usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array", line=line@entry=0xca, function=function@entry=0x560ee8f35798 "constexpr std::array<_Tp, _Nm>::value_type& std::array<_Tp, _Nm>::operator[](size_type) [with _Tp = std::unique_ptr<level_cache>; long unsigned int _Nm = 21; reference = std::unique_ptr<level_cache>&;"..., condition=condition@entry=0x560ee8ecdeea "__n < this->size()") at /var/tmp/portage/sys-devel/gcc-13.2.1_p20240503/work/gcc-13-20240503/libstdc++-v3/src/c++11/assert_fail.cc:41
#4  0x0000560ee7937867 in std::array<std::unique_ptr<level_cache, std::default_delete<level_cache> >, 21ul>::operator[] (this=<optimized out>, __n=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array:200
#5  std::array<std::unique_ptr<level_cache, std::default_delete<level_cache> >, 21ul>::operator[] (__n=<optimized out>, this=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/array:200
#6  map::get_cache (this=<optimized out>, zlev=<optimized out>) at ../src/map.h:2337
#7  0x0000560ee7a06af5 in map::dont_draw_lower_floor (this=this@entry=0x560eec31b290, p=...) at ../src/map.cpp:7106
#8  0x0000560ee890af5b in cata_tiles::draw_critter_above (this=this@entry=0x560eec35ec20, p=..., ll=ll@entry=lit_level::BRIGHT, height_3d=@0x560f0038fb1c: 0x0, invisible=...) at ../src/cata_tiles.cpp:4141
#9  0x0000560ee8911ae9 in cata_tiles::draw (this=0x560eec35ec20, dest=..., center=..., width=<optimized out>, height=<optimized out>, overlay_strings=std::multimap with 0 elements, color_blocks={...}) at ../src/cata_tiles.cpp:1752
#10 0x0000560ee83869bc in cata_cursesport::curses_drawwindow (w=...) at ../src/sdltiles.cpp:1288
#11 0x0000560ee732c1c5 in catacurses::wnoutrefresh (win_=...) at ../src/cursesport.cpp:189
#12 0x0000560ee7458ea4 in game::draw (this=0x560eec348a50, ui=...) at ../src/game.cpp:3996
#13 0x0000560ee84cfe51 in std::function<void (ui_adaptor&)>::operator()(ui_adaptor&) const (__args#0=..., this=0x560eed530a68) at /usr/lib/gcc/x86_64-pc-linux-gnu/13/include/g++-v13/bits/std_function.h:591
#14 ui_adaptor::redraw_invalidated () at ../src/ui_manager.cpp:440
#15 0x0000560ee84d00bd in ui_adaptor::redraw () at ../src/ui_manager.cpp:345
#16 0x0000560ee84d04e5 in ui_manager::redraw () at ../src/ui_manager.cpp:506
#17 0x0000560ee735d5d6 in do_turn () at ../src/do_turn.cpp:570
#18 0x0000560ee6ff7bb5 in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.cpp:868

in cata_tiles::draw_critter_above, scan_p.z becomes 11 which breaks the bounds of the map cache by 1 in map::dont_draw_lower_floor.

Attach save file

N/A

Steps to reproduce

i was standing on a radio tower.

Expected behavior

not crashing.

Screenshots

No response

Versions and configuration

cdda-experimental-2024-05-12-2300-6-g8ef4be2a5e / gentoo

Additional context

No response
@mischief mischief added the (S1 - Need confirmation) Report waiting on confirmation of reproducibility label May 14, 2024
@mischief
Copy link
Contributor Author

duplicates #73530

@mischief
Copy link
Contributor Author

nvm, #73653 is incomplete. bound check needs to happen before dont_draw_lower_floor is called.

@mischief mischief reopened this May 14, 2024
mischief added a commit to mischief/Cataclysm-DDA that referenced this issue May 14, 2024
@mischief
fix draw_critter_above bounds check
a060c2d 
when walking up the z levels, make sure we don't go out of bounds in the
caches.

PR CleverRaven#73653 tried to fix this, but the check needs to happen before we
index the cache array by z-level, not after.

fixes CleverRaven#73754.
@mischief
Copy link
Contributor Author

to reproduce, walk up the radio tower.

charlotte_park.tgz

@mischief mischief mentioned this issue May 14, 2024
Merged
dseguin pushed a commit that referenced this issue May 14, 2024
@mischief
fix draw_critter_above bounds check (#73756)
b67f204 
when walking up the z levels, make sure we don't go out of bounds in the
caches.

PR #73653 tried to fix this, but the check needs to happen before we
index the cache array by z-level, not after.

fixes #73754.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
(S1 - Need confirmation) Report waiting on confirmation of reproducibility
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix draw_critter_above bounds check mischief/Cataclysm-DDA
1 participant
@mischief