Tweet
OK thanks, will play with it some more later.
-
One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie. -
Just because I still have the terminal window open, here's one of the heap-buffer overflows:
(a minor detail changed for privacy reasons; GAME_DIR.)Code:================================================================= ==5429==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000058b90 at pc 0x7efef826f6f9 bp 0x7ffe89c4c490 sp 0x7ffe89c4bc38 READ of size 1036 at 0x619000058b90 thread T0 #0 0x7efef826f6f8 in __interceptor_wcslen /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:590 #1 0x748edb in vstrnfmt GAME_DIR/src/z-form.c:460 #2 0x746a9d in file_vputf GAME_DIR/src/z-file.c:642 #3 0x74697f in file_putf GAME_DIR/src/z-file.c:624 #4 0x74f8ee in textblock_to_file GAME_DIR/src/z-textblock.c:339 #5 0x553518 in object_info_spoil GAME_DIR/src/obj-info.c:1882 #6 0x738345 in spoil_artifact GAME_DIR/src/wiz-spoil.c:411 #7 0x73a69c in spoiler_menu_act GAME_DIR/src/wiz-spoil.c:676 #8 0x6b48f9 in menu_action_handle GAME_DIR/src/ui-menu.c:102 #9 0x6bb86b in menu_handle_action GAME_DIR/src/ui-menu.c:661 #10 0x6bcf39 in menu_select GAME_DIR/src/ui-menu.c:797 #11 0x73a7d8 in do_cmd_spoilers GAME_DIR/src/wiz-spoil.c:709 #12 0x674208 in death_spoilers GAME_DIR/src/ui-death.c:331 #13 0x6b48f9 in menu_action_handle GAME_DIR/src/ui-menu.c:102 #14 0x6bb86b in menu_handle_action GAME_DIR/src/ui-menu.c:661 #15 0x6bcf39 in menu_select GAME_DIR/src/ui-menu.c:797 #16 0x674514 in death_screen GAME_DIR/src/ui-death.c:396 #17 0x688fb0 in close_game GAME_DIR/src/ui-game.c:564 #18 0x688937 in play_game GAME_DIR/src/ui-game.c:437 #19 0x7563f5 in main GAME_DIR/src/main.c:524 #20 0x7efef64bf290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #21 0x404239 in _start (GAME_DIR/src/angband+0x404239) 0x619000058b90 is located 0 bytes to the right of 1040-byte region [0x619000058780,0x619000058b90) allocated by thread T0 here: #0 0x7efef82f0210 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:75 #1 0x7542de in mem_realloc GAME_DIR/src/z-virt.c:75 #2 0x74d99a in textblock_resize_if_needed GAME_DIR/src/z-textblock.c:81 #3 0x74dc9f in textblock_vappend_c GAME_DIR/src/z-textblock.c:116 #4 0x74e672 in textblock_append GAME_DIR/src/z-textblock.c:173 #5 0x542973 in info_out_list GAME_DIR/src/obj-info.c:155 #6 0x543f2f in describe_ignores GAME_DIR/src/obj-info.c:359 #7 0x552c40 in object_info_out GAME_DIR/src/obj-info.c:1785 #8 0x5534fa in object_info_spoil GAME_DIR/src/obj-info.c:1881 #9 0x738345 in spoil_artifact GAME_DIR/src/wiz-spoil.c:411 #10 0x73a69c in spoiler_menu_act GAME_DIR/src/wiz-spoil.c:676 #11 0x6b48f9 in menu_action_handle GAME_DIR/src/ui-menu.c:102 #12 0x6bb86b in menu_handle_action GAME_DIR/src/ui-menu.c:661 #13 0x6bcf39 in menu_select GAME_DIR/src/ui-menu.c:797 #14 0x73a7d8 in do_cmd_spoilers GAME_DIR/src/wiz-spoil.c:709 #15 0x674208 in death_spoilers GAME_DIR/src/ui-death.c:331 #16 0x6b48f9 in menu_action_handle GAME_DIR/src/ui-menu.c:102 #17 0x6bb86b in menu_handle_action GAME_DIR/src/ui-menu.c:661 #18 0x6bcf39 in menu_select GAME_DIR/src/ui-menu.c:797 #19 0x674514 in death_screen GAME_DIR/src/ui-death.c:396 #20 0x688fb0 in close_game GAME_DIR/src/ui-game.c:564 #21 0x688937 in play_game GAME_DIR/src/ui-game.c:437 #22 0x7563f5 in main GAME_DIR/src/main.c:524 #23 0x7efef64bf290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) SUMMARY: AddressSanitizer: heap-buffer-overflow /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:590 in __interceptor_wcslen Shadow bytes around the buggy address: 0x0c3280003120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280003130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280003140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280003150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280003160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3280003170: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280003180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280003190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800031a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800031b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800031c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5429==ABORTING
The "0 bytes right of" makes me suspect that it's an off-by-one.Comment
-
OK, I have this working now - the trick is to do
and everything works.Code:CC=clang ./configure <configure switches> SANITIZE_FLAGS="-fsanitize=address,undefined" make
As a side note, my default gcc is 4.8.5;
works pretty much exactly the same.Code:CC=gcc-5 ./configure <configure switches> SANITIZE_FLAGS="-fsanitize=address,undefined" make
One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.Comment
-
I have a Ring of Digging that I'm activating at a granite wall. Nothing happens
. It's been a while since I've used one, but shouldn't it make a hole? Or is it not effective against granite?
Comment
-
I don't know if I missed a new command or creative way of doing things, but it seems that there is no way to drop items from your quiver in 4.0.5.
I was using a sling, and upgraded to a short bow. I wanted to get rid of my pebbles/iron shots but when I tried to drop them (using the "d" command) they weren't listed anywhere. I had to shoot them, individually, from my quiver just to get rid of them. Surely there must be a better way....
EDIT: Never mind, I figured it out. The method of dropping items from a quiver changed since 3.4.1, and I didn't read the prompts. It's pretty obvious if you actually do that. Nothing to see here, move along....Last edited by Medieval; December 26, 2016, 07:38.Comment
-
Last edited by Nick; December 26, 2016, 22:50.One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.Comment
-
OK, latest build (a41a202) has the stone to mud and projection issues fixed.One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.Comment
-
36ded51 is crashing on load on Mac OSX Yosemite (Dec 28)
EDIT: 93f2a7d is opening fine (Dec 27)Cloning Nightwalkers for XP
I should probably take note of this.Originally posted by Pete MackComment
-
Yes, sorry, I meant to post about that one (I was waiting for it to build, and got distracted).
36ded51 breaks savefiles, and also doesn't load previous lore.txt files any more. The trick of copying monster.txt to lore.txt for full monster memory still works, or if you want to use your previous lore.txt you can go through and replace every line like this
with thisCode:name:22:large brown snake
- so remove the numbers from the name: lines.Code:name:large brown snake
EDIT: I should say, too, that there will be a bit of savefile breaking in the next few builds. I'm going through and removing the numbers from the name: lines in all the other text files (object.txt, artifact.txt, terrain.txt, etc) as well.One for the Dark Lord on his dark throne
In the Land of Mordor where the Shadows lie.Comment
-
In 4.0.3-579-g36ded51 I got:
Looks like the race field points to garbage, but I haven't poked around the code to confirm my interpretation.Code:Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6dc7bb5 in malloc_consolidate () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6dc7bb5 in malloc_consolidate () from /lib64/libc.so.6 #1 0x00007ffff6dc8836 in _int_free () from /lib64/libc.so.6 #2 0x00000000004e5a8a in mem_free (p=0xdba2b8) at z-virt.c:65 #3 0x0000000000403e98 in cave_free (c=0xbeba88) at cave.c:179 #4 0x000000000041e674 in cave_generate (c=0x74b900 <cave>, p=0x93b418) at generate.c:945 #5 0x000000000041c312 in run_game_loop () at game-world.c:840 #6 0x00000000004ae2d3 in play_game (new_game=false) at ui-game.c:433 #7 0x00000000004e662d in main (argc=1, argv=0x7fffffffdc48) at main.c:524 (gdb) up #1 0x00007ffff6dc8836 in _int_free () from /lib64/libc.so.6 (gdb) #2 0x00000000004e5a8a in mem_free (p=0xdba2b8) at z-virt.c:65 65 free((char *)p - sizeof(size_t)); (gdb) up #3 0x0000000000403e98 in cave_free (c=0xbeba88) at cave.c:179 179 mem_free(c->monsters); (gdb) print *c $1 = {name = 0x0, created_at = 85929, depth = 0, feeling = 0 '\000', obj_rating = 0, mon_rating = 0, good_item = false, height = 52, width = 166, feeling_squares = 0, feat_count = 0x80d918, squares = 0xdb9fe8, objects = 0xd61408, obj_max = 127, monsters = 0xdba2b8, mon_max = 1, mon_cnt = 0, mon_current = -1} (gdb) print *c->monsters $2 = {race = 0xdb9fd0, midx = 0, fy = 0 '\000', fx = 0 '\000', hp = 0, maxhp = 0, m_timed = {0, 0, 0, 0, 0, 0}, mspeed = 0 '\000', energy = 0 '\000', cdis = 0 '\000', mflag = "\000", mimicked_obj = 0x0, held_obj = 0x0, attr = 0 '\000', known_pstate = {stat_add = {0, 0, 0, 0, 0}, stat_ind = {0, 0, 0, 0, 0}, stat_use = {0, 0, 0, 0, 0}, stat_top = {0, 0, 0, 0, 0}, skills = {0, 0, 0, 0, 0, 0, 0, 0, 0}, speed = 0, num_blows = 0, num_shots = 0, ammo_mult = 0, ammo_tval = 0, ac = 0, to_a = 0, to_h = 0, to_d = 0, see_infra = 0, cur_light = 0, noise = 0, heavy_wield = false, heavy_shoot = false, icky_wield = false, cumber_armor = false, cumber_glove = false, flags = "\000\000\000\000", pflags = "\000", el_info = {{res_level = 0, flags = 0 '\000'} <repeats 25 times>}}, ty = 0 '\000', tx = 0 '\000', min_range = 0 '\000', best_range = 0 '\000'} (gdb) print *c->monsters->race $3 = {next = 0x10000, ridx = 433, name = 0xdba2a0 "", text = 0xd63020 " ", plural = 0xb33448 "\260Ă•´", base = 0xcd7818, avg_hp = 11234040, ac = 0, sleep = 11240696, aaf = 0, speed = 11851208, mexp = 0, freq_innate = 11857864, freq_spell = 0, spell_power = 11762104, flags = "\000\000\000\000\270\223\263\000\000", spell_flags = "\000\000\270\255\263\000\000\000\000\000h", blow = 0xc7b468, level = 13094504, rarity = 0, d_attr = 72 'H', d_char = 0 L'\000', max_num = 72 'H', cur_num = 0, drops = 0xb27448, friends = 0xb28e48, friends_base = 0xb2a848, mimic_kinds = 0xb2c248} (gdb) cont Continuing. ^C Program received signal SIGINT, Interrupt. 0x00007ffff6e5138b in __lll_lock_wait_private () from /lib64/libc.so.6 (gdb) kill Kill the program being debugged? (y or n) y (gdb)
Most frustrating, when I continued, it blocked inside libc; I had to kill the program. When I attempted to restart, I discovered that it never saved.Comment
-
And here's another one:
Code:angband: effects.c:695: effect_handler_DRAIN_MANA: Assertion `context->origin.what == SRC_MONSTER' failed. Program received signal SIGABRT, Aborted. 0x00007ffff6d7f979 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6d7f979 in raise () from /lib64/libc.so.6 #1 0x00007ffff6d81088 in abort () from /lib64/libc.so.6 #2 0x00007ffff6d78966 in __assert_fail_base () from /lib64/libc.so.6 #3 0x00007ffff6d78a12 in __assert_fail () from /lib64/libc.so.6 #4 0x0000000000412616 in effect_handler_DRAIN_MANA (context=0x7fffffffd880) at effects.c:695 #5 0x0000000000419e54 in effect_do (effect=0x7fd788, origin=..., obj=0x0, ident=0x7fffffffd94f, aware=false, dir=0, beam=0, boost=0) at effects.c:4486 #6 0x00000000004a10df in hit_trap (y=34, x=77) at trap.c:433 #7 0x000000000040c083 in do_cmd_disarm_aux (y=34, x=77) at cmd-cave.c:750 #8 0x000000000040c53b in do_cmd_alter_aux (dir=8) at cmd-cave.c:878 #9 0x000000000040c739 in move_player (dir=8, disarm=true) at cmd-cave.c:933 #10 0x000000000040cf7c in do_cmd_walk (cmd=0x74bf70 <cmd_queue+1584>) at cmd-cave.c:1125 #11 0x000000000040d9b5 in process_command (ctx=CMD_GAME, cmd=0x74bf70 <cmd_queue+1584>) at cmd-core.c:222 #12 0x000000000040daae in cmdq_pop (c=CMD_GAME) at cmd-core.c:250 #13 0x000000000041bd86 in process_player () at game-world.c:666 #14 0x000000000041c011 in run_game_loop () at game-world.c:761 #15 0x00000000004ae2d3 in play_game (new_game=false) at ui-game.c:433 #16 0x00000000004e662d in main (argc=1, argv=0x7fffffffdc48) at main.c:524 (gdb)Comment
I was unaware of the "gcc-5" thing -- it must be a Debian/Ubuntu/Fedora thing? I'm on Arch Linux, FWIW.
Comment