0003976: Possible Problems With Dehacked Lumps in Vanilla Wads

DrinkyBird was burned by an imp. malloc(): invalid size (unsorted) [Thread 0x7ffff5e13700 (LWP 25031) exited] --Type <RET> for more, q to quit, c to continue without paging-- Thread 1 "zandronum-serve" received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) info sharedlibrary From To Syms Read Shared Object Library 0x00007ffff7fd0100 0x00007ffff7ff2674 Yes (*) /lib64/ld-linux-x86-64.so.2 0x00007ffff7f1b640 0x00007ffff7f685d2 Yes (*) /lib/x86_64-linux-gnu/libSDL-1.2.so.0 0x00007ffff7ef4ae0 0x00007ffff7f044d5 Yes /lib/x86_64-linux-gnu/libpthread.so.0 0x00007ffff7ee5720 0x00007ffff7ee8d70 Yes /lib/x86_64-linux-gnu/librt.so.1 0x00007ffff7ec8280 0x00007ffff7ed8e2b Yes (*) /lib/x86_64-linux-gnu/libz.so.1 0x00007ffff7ca5680 0x00007ffff7cbe402 Yes (*) /lib/x86_64-linux-gnu/libjpeg.so.62 0x00007ffff7c91240 0x00007ffff7c9dec6 Yes (*) /lib/x86_64-linux-gnu/libbz2.so.1.0 0x00007ffff7a30000 0x00007ffff7bc9eb0 Yes (*) /lib/x86_64-linux-gnu/libcrypto.so.1.1 0x00007ffff79b2220 0x00007ffff79b3179 Yes /lib/x86_64-linux-gnu/libdl.so.2 0x00007ffff786d160 0x00007ffff7955452 Yes (*) /lib/x86_64-linux-gnu/libstdc++.so.6 0x00007ffff768f3c0 0x00007ffff7735f18 Yes /lib/x86_64-linux-gnu/libm.so.6 0x00007ffff76685e0 0x00007ffff7679045 Yes (*) /lib/x86_64-linux-gnu/libgcc_s.so.1 0x00007ffff7498630 0x00007ffff760d20d Yes /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff73a1380 0x00007ffff742e146 Yes (*) /lib/x86_64-linux-gnu/libasound.so.2 0x00007ffff73715e0 0x00007ffff7372828 Yes (*) /lib/x86_64-linux-gnu/libpulse-simple.so.0 0x00007ffff7327f60 0x00007ffff7355ab1 Yes (*) /lib/x86_64-linux-gnu/libpulse.so.0 0x00007ffff71f60c0 0x00007ffff727f766 Yes (*) /lib/x86_64-linux-gnu/libX11.so.6 0x00007ffff71cc5e0 0x00007ffff71d684e Yes (*) /lib/x86_64-linux-gnu/libXext.so.6 0x00007ffff71069e0 0x00007ffff71191d2 Yes (*) /lib/x86_64-linux-gnu/libcaca.so.0 0x00007ffff708b3e0 0x00007ffff70d0002 Yes (*) /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-13.99.so 0x00007ffff7032eb0 0x00007ffff705f915 Yes (*) /lib/x86_64-linux-gnu/libdbus-1.so.3 0x00007ffff7008620 0x00007ffff701b699 Yes (*) /lib/x86_64-linux-gnu/libxcb.so.1 0x00007ffff6d52620 0x00007ffff6df3a54 Yes (*) /lib/x86_64-linux-gnu/libslang.so.2 0x00007ffff6cd5110 0x00007ffff6cfa9d2 Yes (*) /lib/x86_64-linux-gnu/libncursesw.so.6 0x00007ffff6ca86a0 0x00007ffff6cb617c Yes (*) /lib/x86_64-linux-gnu/libtinfo.so.6 0x00007ffff6bfcbc0 0x00007ffff6c6f780 Yes (*) /lib/x86_64-linux-gnu/libsystemd.so.0 0x00007ffff6be2b20 0x00007ffff6be688c Yes (*) /lib/x86_64-linux-gnu/libwrap.so.0 0x00007ffff6b68fa0 0x00007ffff6bbaf05 Yes (*) /lib/x86_64-linux-gnu/libsndfile.so.1 0x00007ffff695c1d0 0x00007ffff695e848 Yes (*) /lib/x86_64-linux-gnu/libasyncns.so.0 0x00007ffff69498c0 0x00007ffff6951380 Yes (*) /lib/x86_64-linux-gnu/libapparmor.so.1 0x00007ffff693f360 0x00007ffff6940052 Yes (*) /lib/x86_64-linux-gnu/libXau.so.6 0x00007ffff69381a0 0x00007ffff6939a03 Yes (*) /lib/x86_64-linux-gnu/libXdmcp.so.6 0x00007ffff69103c0 0x00007ffff69273a6 Yes (*) /lib/x86_64-linux-gnu/liblzma.so.5 0x00007ffff68ee120 0x00007ffff69078fb Yes (*) /lib/x86_64-linux-gnu/liblz4.so.1 0x00007ffff67da580 0x00007ffff68a79dc Yes (*) /lib/x86_64-linux-gnu/libgcrypt.so.20 0x00007ffff67b4d20 0x00007ffff67c3711 Yes /lib/x86_64-linux-gnu/libnsl.so.1 0x00007ffff6779800 0x00007ffff67a1c33 Yes (*) /lib/x86_64-linux-gnu/libFLAC.so.8 0x00007ffff6766480 0x00007ffff676a539 Yes (*) /lib/x86_64-linux-gnu/libogg.so.0 0x00007ffff6739480 0x00007ffff674fc4d Yes (*) /lib/x86_64-linux-gnu/libvorbis.so.0 0x00007ffff669f0c0 0x00007ffff66a177e Yes (*) /lib/x86_64-linux-gnu/libvorbisenc.so.2 0x00007ffff6673720 0x00007ffff668211c Yes /lib/x86_64-linux-gnu/libresolv.so.2 0x00007ffff6657e40 0x00007ffff6665e69 Yes (*) /lib/x86_64-linux-gnu/libbsd.so.0 0x00007ffff6634c60 0x00007ffff6646a92 Yes (*) /lib/x86_64-linux-gnu/libgpg-error.so.0 0x00007ffff5e175c0 0x00007ffff5e1da1c Yes /lib/x86_64-linux-gnu/libnss_files.so.2 0x00007ffff7fbc3a0 0x00007ffff7fbd84a Yes (*) /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2 0x00007ffff7fb4320 0x00007ffff7fb7998 Yes /lib/x86_64-linux-gnu/libnss_dns.so.2 (*): Shared library is missing debugging information. (gdb) info threads Id Target Id Frame * 1 Thread 0x7ffff66297c0 (LWP 21515) "zandronum-serve" __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 2 Thread 0x7ffff6628700 (LWP 21519) "zandronum-serve" 0x00007ffff75533bf in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, req=0x7ffff6627de0, rem=0x7ffff6627dd0) at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78 3 Thread 0x7ffff7fc77c0 (LWP 21520) "zandronum-serve" 0x00007ffff7ee89dd in timer_helper_thread (arg=<optimized out>) at ../sysdeps/unix/sysv/linux/timer_routines.c:89 (gdb) info float R7: Empty 0x00000000000000000000 R6: Empty 0x00000000000000000000 R5: Empty 0x00000000000000000000 R4: Empty 0x00000000000000000000 R3: Empty 0x00000000000000000000 R2: Empty 0x00000000000000000000 R1: Empty 0x00000000000000000000 =>R0: Empty 0x00000000000000000000 Status Word: 0x0000 TOP: 0 Control Word: 0x027f IM DM ZM OM UM PM PC: Double Precision (53-bits) RC: Round to nearest Tag Word: 0xffff Instruction Pointer: 0x00:0x00000000 Operand Pointer: 0x00:0x00000000 Opcode: 0x0000 (gdb) info registers rax 0x0 0 rbx 0x7ffff66297c0 140737327044544 rcx 0x7ffff74b918b 140737342312843 rdx 0x0 0 rsi 0x7fffffffc060 140737488339040 rdi 0x2 2 rbp 0x7fffffffc3b0 0x7fffffffc3b0 rsp 0x7fffffffc060 0x7fffffffc060 r8 0x0 0 r9 0x7fffffffc060 140737488339040 r10 0x8 8 r11 0x246 582 r12 0x7fffffffc2d0 140737488339664 r13 0x10 16 r14 0x7ffff7ffb000 140737354117120 r15 0x1 1 rip 0x7ffff74b918b 0x7ffff74b918b <__GI_raise+203> eflags 0x246 [ PF ZF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) thread apply all backtrace full Thread 3 (Thread 0x7ffff7fc77c0 (LWP 21520)): #0 0x00007ffff7ee89dd in timer_helper_thread (arg=<optimized out>) at ../sysdeps/unix/sysv/linux/timer_routines.c:89 __arg4 = 8 __arg2 = 140737353903744 _a3 = 0 _a1 = 140737353903616 resultvar = <optimized out> __arg3 = 0 __arg1 = 140737353903616 _a4 = 8 _a2 = 140737353903744 resultvar = <optimized out> sc_cancel_oldtype = 0 sc_ret = <optimized out> si = {si_signo = 32, si_errno = 0, si_code = -2, __pad0 = 0, _sifields = {_pad = {1, 0, 1467758240, 21845, 0 <repeats 24 times>}, _kill = {si_pid = 1, si_uid = 0}, _timer = {si_tid = 1, si_overrun = 0, si_sigval = {sival_int = 1467758240, sival_ptr = 0x5555577c36a0}}, _rt = {si_pid = 1, si_uid = 0, si_sigval = {sival_int = 1467758240, sival_ptr = 0x5555577c36a0}}, _sigchld = {si_pid = 1, si_uid = 0, si_status = 1467758240, si_utime = 0, si_stime = 0}, _sigfault = {si_addr = 0x1, si_addr_lsb = 13984, _bounds = {_addr_bnd = {_lower = 0x0, _upper = 0x0}, _pkey = 0}}, _sigpoll = {si_band = 1, si_fd = 1467758240}, _sigsys = {_call_addr = 0x1, _syscall = 1467758240, _arch = 21845}}} result = <optimized out> ss = {__val = {2147483648, 0 <repeats 15 times>}} #1 0x00007ffff7ef6609 in start_thread (arg=<optimized out>) at pthread_create.c:477 ret = <optimized out> pd = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737353906112, -3120124340964472538, 140737488341022, 140737488341023, 140737488341168, 140737353904128, 3120141912229759270, 3120142075092355366}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0 #2 0x00007ffff7595293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 No locals. Thread 2 (Thread 0x7ffff6628700 (LWP 21519)): #0 0x00007ffff75533bf in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, req=0x7ffff6627de0, rem=0x7ffff6627dd0) at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78 sc_cancel_oldtype = 2 sc_ret = <optimized out> r = <optimized out> #1 0x00007ffff7559047 in __GI___nanosleep (requested_time=<optimized out>, remaining=<optimized out>) at nanosleep.c:27 ret = <optimized out> #2 0x00007ffff7f6846b in SDL_Delay () from /lib/x86_64-linux-gnu/libSDL-1.2.so.0 No symbol table info available. #3 0x00007ffff7f684ca in ?? () from /lib/x86_64-linux-gnu/libSDL-1.2.so.0 No symbol table info available. #4 0x00007ffff7f25f3c in ?? () from /lib/x86_64-linux-gnu/libSDL-1.2.so.0 No symbol table info available. #5 0x00007ffff7f65baf in ?? () from /lib/x86_64-linux-gnu/libSDL-1.2.so.0 No symbol table info available. #6 0x00007ffff7ef6609 in start_thread (arg=<optimized out>) at pthread_create.c:477 ret = <optimized out> pd = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737327040256, -3120124340964472538, 140737488342190, 140737488342191, 140737488342320, 140737327038272, 3120145399164389670, 3120142075092355366}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0 #7 0x00007ffff7595293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 No locals. --Type <RET> for more, q to quit, c to continue without paging--c Thread 1 (Thread 0x7ffff66297c0 (LWP 21515)): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 set = {__val = {0, 93824996780520, 0, 32880, 140737488339232, 38062790400, 0, 0, 17, 93825037487633, 93825037495808, 0, 4294967295, 0, 0, 93824995404185}} pid = <optimized out> tid = <optimized out> ret = <optimized out> #1 0x00007ffff7498859 in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x555555d01207, sa_sigaction = 0x555555d01207}, sa_mask = {__val = {140733193388032, 93825036370192, 18288377144763484850, 114497559, 155722635487282, 0, 0, 4294967296, 0, 0, 0, 0, 0, 392933501304568560, 140737488340672, 18}}, sa_flags = 1476089088, sa_restorer = 0x0} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007ffff75033ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff762d285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 ap = {{gp_offset = 24, fp_offset = 0, overflow_arg_area = 0x7fffffffc3c0, reg_save_area = 0x7fffffffc350}} fd = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> #3 0x00007ffff750b47c in malloc_printerr (str=str@entry=0x7ffff762fa50 "malloc(): invalid size (unsorted)") at malloc.c:5347 No locals. #4 0x00007ffff750e234 in _int_malloc (av=av@entry=0x7ffff765eb80 <main_arena>, bytes=bytes@entry=8192) at malloc.c:3736 next = <optimized out> iters = <optimized out> nb = <optimized out> idx = 107 bin = <optimized out> victim = <optimized out> size = <optimized out> victim_index = <optimized out> remainder = <optimized out> remainder_size = <optimized out> block = <optimized out> bit = <optimized out> map = <optimized out> fwd = <optimized out> bck = <optimized out> tcache_unsorted_count = 0 tcache_nb = 0 tc_idx = 511 return_cached = <optimized out> __PRETTY_FUNCTION__ = "_int_malloc" #5 0x00007ffff7510419 in __GI___libc_malloc (bytes=8192) at malloc.c:3066 ar_ptr = 0x7ffff765eb80 <main_arena> victim = <optimized out> hook = <optimized out> tbytes = <optimized out> tc_idx = <optimized out> __PRETTY_FUNCTION__ = "__libc_malloc" #6 0x00007ffff7879b39 in operator new(unsigned long) () from /lib/x86_64-linux-gnu/libstdc++.so.6 No symbol table info available. #7 0x00005555558512da in NETBUFFER_s::Init (this=this@entry=0x7fffffffc560, ulLength=ulLength@entry=8192, BufferType=BufferType@entry=BUFFERTYPE_WRITE) at /home/zbuild/zandronum_build/zandronum/src/networkshared.cpp:106 No locals. #8 0x000055555585a816 in NetCommand::NetCommand (this=0x7fffffffc560, Header=SVC_MISSILEEXPLODE) at /home/zbuild/zandronum_build/zandronum/src/network/netcommand.cpp:108 No locals. #9 0x000055555587528e in ServerCommands::MissileExplode::BuildNetCommand (this=this@entry=0x7fffffffc530) at /home/zbuild/zandronum_build/zandronum/src/network/servercommands.cpp:10522 command = {_buffer = {pbData = 0x0, ulMaxSize = 8192, ulCurrentSize = 0, ByteStream = {pbStream = 0x0, pbStreamEnd = 0x0, bitBuffer = 0x0, bitShift = 0}, BufferType = BUFFERTYPE_READ}, _unreliable = false} #10 0x00005555559af48c in ServerCommands::BaseServerCommand::sendCommandToClients (flags=..., playerExtra=64, this=0x7fffffffc530) at /home/zbuild/zandronum_build/zandronum/src/network/servercommands.h:47 No locals. #11 SERVERCOMMANDS_MissileExplode (pMissile=pMissile@entry=0x55555807c5d0, pLine=pLine@entry=0x0, ulPlayerExtra=ulPlayerExtra@entry=64, flags=...) at /home/zbuild/zandronum_build/zandronum/src/sv_commands.cpp:2652 command = {<ServerCommands::BaseServerCommand> = {_vptr.BaseServerCommand = 0x555555e49400 <vtable for ServerCommands::MissileExplode+16>}, missile = 0x55555807c5d0, lineId = -1, x = -44843600, y = 114193280, z = 2097152, _missileInitialized = true, _lineIdInitialized = true, _xInitialized = true, _yInitialized = true, _zInitialized = true} #12 0x00005555558ff0cc in P_ExplodeMissile (mo=0x55555807c5d0, line=0x0, target=<optimized out>) at /home/zbuild/zandronum_build/zandronum/src/tflags.h:60 nextstate = 0x5555579bed90 dwSavedMoFlags = <optimized out> bFlagsChanged = <optimized out> #13 0x000055555590473a in P_XYMovement (mo=mo@entry=0x55555807c5d0, scrollx=<optimized out>, scrollx@entry=0, scrolly=<optimized out>) at /home/zbuild/zandronum_build/zandronum/src/p_mobj.cpp:2454 BlockingMobj = <optimized out> BlockingLine = <optimized out> startvelx = <optimized out> startvely = <optimized out> pushtime = 1022 bForceSlide = <optimized out> angle = 0 ptryx = <optimized out> ptryy = <optimized out> player = 0x0 xmove = 654648 ymove = 30520 walkplane = 0x0 windTab = {10240, 20480, 51200} steps = 0 step = 2 totalsteps = 2 startx = <optimized out> starty = 114178020 oldfloorz = 0 maxmove = <optimized out> startxmove = <optimized out> startymove = <optimized out> onestepx = 327324 onestepy = 15260 tm = {thing = 0x55555807c5d0, x = -44516276, y = 114208540, z = 0, sector = 0x555557f6c110, floorz = 0, ceilingz = 20971520, dropoffz = 0, floorpic = {texnum = 2738}, floorsector = 0x555557f6c110, ceilingpic = {texnum = 2717}, ceilingsector = 0x555557f6c110, touchmidtex = false, abovemidtex = false, floatok = false, FromPMove = false, ceilingline = 0x0, stepthing = 0x0, DoRipping = false, LastRipped = 0x0, PushTime = 1022} #14 0x00005555559057bb in AActor::Tick (this=0x55555807c5d0) at /home/zbuild/zandronum_build/zandronum/src/p_mobj.cpp:4367 oldz = <optimized out> cummx = 0 cummy = <optimized out> oldfloorz = 0 HexenScrollDirs = "@\000\300\200`", <incomplete sequence \340\240> HexenSpeedMuls = "\005\n\031" HexenScrollies = {"\000\001", "\000\002", "\000\004", "\377", "\376", <incomplete sequence \374>, "\000\377", "\000\376", <incomplete sequence \374>, "\001", "\002", "\004", "\001\001", "\002\002", "\004\004", "\377\001", "\376\002", "\374\004", "\377\377", "\376\376", "\374", <incomplete sequence \374>, "\001\377", "\002\376", <incomplete sequence \374>} HereticScrollDirs = "\006\t\001\004" HereticSpeedMuls = "\005\n\031\036#" onmo = <optimized out> #15 0x00005555557f9177 in DThinker::TickThinkers (dest=0x0, list=0x555557196000 <DThinker::Thinkers+800>) at /home/zbuild/zandronum_build/zandronum/src/dthinker.cpp:472 count = <optimized out> node = 0x55555807c5d0 count = <optimized out> node = <optimized out> #16 DThinker::RunThinkers () at /home/zbuild/zandronum_build/zandronum/src/dthinker.cpp:419 i = 100 count = <optimized out> #17 0x00005555559350bf in P_Ticker () at /home/zbuild/zandronum_build/zandronum/src/p_tick.cpp:415 i = <optimized out> ulIdx = 64 #18 0x000055555580f6e1 in G_Ticker () at /home/zbuild/zandronum_build/zandronum/src/g_game.cpp:1770 i = <optimized out> oldgamestate = <optimized out> buf = <optimized out> cmd = <optimized out> lSize = <optimized out> #19 0x00005555559cb637 in SERVER_Tick () at /home/zbuild/zandronum_build/zandronum/src/sv_main.cpp:701 lNowTime = 17858 lNewTics = 625 lPreviousTics = <optimized out> lCurTics = 0 ulIdx = <optimized out> cmd = <optimized out> iOldTime = 471 #20 0x00005555557d6585 in D_DoomLoop () at /home/zbuild/zandronum_build/zandronum/src/d_main.cpp:1345 lasttic = 0 #21 0x00005555557d8b85 in D_DoomMain () at /home/zbuild/zandronum_build/zandronum/src/d_main.cpp:3287 iwad_man = 0x5555576f5a80 iwad = {Chars = 0x555555e7444c <FString::NullString+12> "", static NullString = {Len = 0, AllocLen = 2, RefCount = 108176, Nothing = "\000"}} iwad_info = 0x555557723530 exec = <optimized out> startupString = {0x555555cf96ac "STARTUP1", 0x555555cf96b5 "STARTUP2", 0x555555cf96be "STARTUP3", 0x555555cf96c7 "STARTUP4", 0x555555cf96d0 "STARTUP5"} p = <optimized out> v = <optimized out> wad = <optimized out> execFiles = <optimized out> pwads = {Array = 0x0, Most = 0, Count = 0} basewad = {Chars = 0x5555576f56bc "/home/sean/zan/3.1_official/zandronum.pk3", static NullString = {Len = 0, AllocLen = 2, RefCount = 108176, Nothing = "\000"}} #22 0x0000555555742149 in main (argc=<optimized out>, argv=0x7fffffffdfa8) at /home/zbuild/zandronum_build/zandronum/src/sdl/i_main.cpp:380 program = "/home/sean/zan/3.1_official/\000andronum-server\000\000\000\000\b\000\000\000\000\000\000\000\004\000\000\000\004\000\000\000\310\002\000\000\000\000\000\000\310\002\000\000\000\000\000\000\310\002\000\000\000\000\000\000$\000\000\000\000\000\000\000$\000\000\000\000\000\000\000\004\000\000\000\000\000\000\000S\345td\004\000\000\000\250\002\000\000\000\000\000\000\250\002\000\000\000\000\000\000\250\002\000\000\000\000\000\000 \000\000\000\000\000\000\000 \000\000\000\000\000\000\000\b\000\000\000\000\000\000\000P\345td\004\000\000\000\020\300\001\000\000\000\000\000\020\300\001\000\000\000\000\000\020\300\001\000\000\000\000\000"... slash = <optimized out> caption = "ZANDRONUM 3.1 (211211-2135)\000\000\000\000\000\030\a\000\000\000\000\000\000\230\b\000\000\000\000\000\000\000\020\000\000\000\000\000\000\002\000\000\000\006\000\000\000\210\n\002\000\000\000\000\000\210\032\002\000\000\000\000\000\210\032\002\000\000\000\000\000\020\002\000\000\000\000\000\000\020\002\000"

DrinkyBird was slashed by an imp. ================================================================= ==29129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000333fc8 at pc 0x555555fc63b1 bp 0x7fffffffba90 sp 0x7fffffffba80 WRITE of size 4 at 0x619000333fc8 thread T0 [New Thread 0x7ffff1ffe700 (LWP 33137)] #0 0x555555fc63b0 in APlayerPawn::Die(AActor*, AActor*, int) /home/sean/zan/zandronum-stable/src/p_user.cpp:2017 #1 0x555555e50fd0 in P_DamageMobj(AActor*, AActor*, AActor*, int, FName, int) /home/sean/zan/zandronum-stable/src/p_interaction.cpp:1767 #2 0x5555561fd61c in AF_A_TroopAttack(AActor*, AActor*, FState*, int, StateCallData*) /home/sean/zan/zandronum-stable/src/g_doom/a_doomimp.cpp:28 #3 0x555555f082c7 in FState::CallAction(AActor*, AActor*, StateCallData*) /home/sean/zan/zandronum-stable/src/./info.h:144 #4 0x555555ecc2f6 in AActor::SetState(FState*, bool) /home/sean/zan/zandronum-stable/src/p_mobj.cpp:582 #5 0x555555eeb447 in AActor::Tick() /home/sean/zan/zandronum-stable/src/p_mobj.cpp:4541 #6 0x555555bd20d8 in DThinker::TickThinkers(FThinkerList*, FThinkerList*) /home/sean/zan/zandronum-stable/src/dthinker.cpp:472 #7 0x555555bd1d7a in DThinker::RunThinkers() /home/sean/zan/zandronum-stable/src/dthinker.cpp:419 #8 0x555555f93257 in P_Ticker() /home/sean/zan/zandronum-stable/src/p_tick.cpp:415 #9 0x555555bf056b in G_Ticker() /home/sean/zan/zandronum-stable/src/g_game.cpp:1770 #10 0x55555613cb64 in SERVER_Tick() /home/sean/zan/zandronum-stable/src/sv_main.cpp:701 #11 0x555555b85c3d in D_DoomLoop() /home/sean/zan/zandronum-stable/src/d_main.cpp:1345 #12 0x555555b8e86d in D_DoomMain() /home/sean/zan/zandronum-stable/src/d_main.cpp:3287 #13 0x555555a3866c in main /home/sean/zan/zandronum-stable/src/sdl/i_main.cpp:380 #14 0x7ffff6c050b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #15 0x555555a2ba0d in _start (/home/sean/zan/zandronum-stable-build/zandronum-server+0x4d7a0d) 0x619000333fc8 is located 0 bytes to the right of 1096-byte region [0x619000333b80,0x619000333fc8) allocated by thread T0 here: #0 0x7ffff7687bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x555555c6d108 in M_Malloc_Dbg(unsigned long, char const*, int) /home/sean/zan/zandronum-stable/src/m_alloc.cpp:135 #2 0x555555bc7c5b in PClass::CreateNew() const /home/sean/zan/zandronum-stable/src/dobjtype.cpp:258 #3 0x555555eed02e in AActor::StaticSpawn(PClass const*, int, int, int, replace_t, bool) /home/sean/zan/zandronum-stable/src/p_mobj.cpp:4867 #4 0x555555a6aa34 in Spawn(PClass const*, int, int, int, replace_t) /home/sean/zan/zandronum-stable/src/./actor.h:1321 #5 0x555555e24155 in P_DropItem(AActor*, PClass const*, int, int) /home/sean/zan/zandronum-stable/src/p_enemy.cpp:3481 #6 0x555555fc629b in APlayerPawn::Die(AActor*, AActor*, int) /home/sean/zan/zandronum-stable/src/p_user.cpp:2012 #7 0x555555e50fd0 in P_DamageMobj(AActor*, AActor*, AActor*, int, FName, int) /home/sean/zan/zandronum-stable/src/p_interaction.cpp:1767 #8 0x5555561fd61c in AF_A_TroopAttack(AActor*, AActor*, FState*, int, StateCallData*) /home/sean/zan/zandronum-stable/src/g_doom/a_doomimp.cpp:28 #9 0x555555f082c7 in FState::CallAction(AActor*, AActor*, StateCallData*) /home/sean/zan/zandronum-stable/src/./info.h:144 #10 0x555555ecc2f6 in AActor::SetState(FState*, bool) /home/sean/zan/zandronum-stable/src/p_mobj.cpp:582 #11 0x555555eeb447 in AActor::Tick() /home/sean/zan/zandronum-stable/src/p_mobj.cpp:4541 #12 0x555555bd20d8 in DThinker::TickThinkers(FThinkerList*, FThinkerList*) /home/sean/zan/zandronum-stable/src/dthinker.cpp:472 #13 0x555555bd1d7a in DThinker::RunThinkers() /home/sean/zan/zandronum-stable/src/dthinker.cpp:419 #14 0x555555f93257 in P_Ticker() /home/sean/zan/zandronum-stable/src/p_tick.cpp:415 #15 0x555555bf056b in G_Ticker() /home/sean/zan/zandronum-stable/src/g_game.cpp:1770 #16 0x55555613cb64 in SERVER_Tick() /home/sean/zan/zandronum-stable/src/sv_main.cpp:701 #17 0x555555b85c3d in D_DoomLoop() /home/sean/zan/zandronum-stable/src/d_main.cpp:1345 #18 0x555555b8e86d in D_DoomMain() /home/sean/zan/zandronum-stable/src/d_main.cpp:3287 #19 0x555555a3866c in main /home/sean/zan/zandronum-stable/src/sdl/i_main.cpp:380 #20 0x7ffff6c050b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sean/zan/zandronum-stable/src/p_user.cpp:2017 in APlayerPawn::Die(AActor*, AActor*, int) Shadow bytes around the buggy address: 0x0c328005e7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c328005e7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c328005e7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c328005e7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c328005e7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c328005e7f0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa 0x0c328005e800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c328005e810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c328005e820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c328005e830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c328005e840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc [Thread 0x7ffff1ffe700 (LWP 33137) exited] [New Thread 0x7ffff17fd700 (LWP 33138)] [Thread 0x7ffff17fd700 (LWP 33138) exited] ==29129==ABORTING [Thread 0x7ffff302b840 (LWP 29134) exited] [Thread 0x7ffff27ff700 (LWP 29133) exited] --Type <RET> for more, q to quit, c to continue without paging--c [Inferior 1 (process 29129) exited with code 01]

Notes
(0022128) DrinkyBird (developer) 2022-02-17 11:29	Is there a full crash log? Usually a file named zandronum-crash-xxxxxxx.log is dumped to the working directory. Quote I'd have to track down fmod headers, which seems difficult to do... 'https://zandronum.com/essentials/fmod/ [^]'

(0022129) Goat-Avenger (reporter) 2022-02-17 12:50	The log didn't provide anything of use, that I could discern, except the following... Adding dehacked patch somewad.wad:DEHACKED [05:43:56] Script error, "zandronum.pk3:dehsupp.txt" line 291: [05:43:56] Invalid state range in 'CacodemonBall' [05:43:56] [05:43:56] Could not load DEH support data [05:43:56] Adding dehacked patch somewad.wad:DEHACKED [05:43:56] Script error, "zandronum.pk3:dehsupp.txt" line 291: [05:43:56] Invalid state range in 'CacodemonBall'

(0022130) WaTaKiD (updater) 2022-02-17 14:52	please provide an example wad that can reproduce the crash

(0022131) Goat-Avenger (reporter) 2022-02-18 02:09 edited on: 2022-02-18 02:23	rudy2.wad produces a crash; same with mohawks2.wad error message: malloc(): invalid size (unsorted) to reproduce I hosted the wad in the latest testing linux server with 1 life survival and just got killed by the first shotgunner and imp in the first map. For mohawks2.wad, I just let the first few enemies take me out, and crash upon death.

(0022132) WaTaKiD (updater) 2022-02-18 03:12 edited on: 2022-02-18 03:16	im unable to reproduce the crash using either of those wads on both local windows and tspg linux servers here are dl links for convenience: 'https://allfearthesentinel.net/zandronum/download.php?file=rudy2.wad [^]' 'https://allfearthesentinel.net/zandronum/download.php?file=mohawks2.wad [^]'

(0022133) Goat-Avenger (reporter) 2022-02-18 04:17	I was able to reproduce on TSPG Version:Stable: Zandronum 3.1 [TSPG-v26] wad:rudy2.wad Steps to reproduce: host rudy2.wad and get killed by first monsters in sight. DMFlags 1600192516 DMFlags2 8390982 ZADMFlags 1024 CompatFlags 4 sv_nokill false teamdamage 0.50 Game Mode: cooperative Skill Level or Skill Number: hard Lives: 1 connections: 8 players: 4

(0022134) WaTaKiD (updater) 2022-02-18 04:40	ok using that setup i was able to crash a tspg server, i joined, used a kill bind during the countdown, and the server went down with the log showing: malloc(): memory corruption however there doesnt seem to be a crash report, and this method still doesnt crash a windows local server

(0022135) Goat-Avenger (reporter) 2022-02-18 04:41	Thnx for confirming. If there is any other info I can provide I will try to. I wasn't able to produce a crash report either.

(0022136) DrinkyBird (developer) 2022-02-18 05:06 edited on: 2022-02-18 06:01	I managed to reproduce the crash with (official 3.1 Linux x86_64 build) gdb --args ./zandronum-server -iwad ../doom2.wad -file ../rudy2.wad +dmflags 1600192516 +dmflags2 8390982 +zadmflags 1024 +compatflags 4 +sv_nokill false +teamdamage 0.50 +cooperative 1 +skill 3 +sv_maxlives 1 +sv_maxclients 8 +sv_maxplayers 4 Interestingly I originally mistyped dmflags2 as dmflags, and the crash didn't occur. Zandronum didn't generate a crash report, but I ran through the same commands in gdb myself, output attached. EDIT: I compiled with ASAN which reveals the source of the memory corruption. Attached. EDIT 2: Seems likely that item is an ADehackedPickup being improperly casted to AWeapon? DrinkyBird was burned by an imp. --Type <RET> for more, q to quit, c to continue without paging--c Thread 1 "zandronum-serve" hit Breakpoint 1, APlayerPawn::Die (this=0x555557fb5020, source=<optimized out>, inflictor=<optimized out>, dmgflags=0) at /home/zbuild/zandronum_build/zandronum/src/p_user.cpp:2013 2013 /home/zbuild/zandronum_build/zandronum/src/p_user.cpp: No such file or directory. (gdb) f #0 APlayerPawn::Die (this=0x555557fb5020, source=<optimized out>, inflictor=<optimized out>, dmgflags=0) at /home/zbuild/zandronum_build/zandronum/src/p_user.cpp:2013 2013 in /home/zbuild/zandronum_build/zandronum/src/p_user.cpp (gdb) p item $1 = (AInventory ) 0x55555807d760 (gdb) p item->StaticType() [New Thread 0x7ffff5e13700 (LWP 40333)] $3 = (PClass ) 0x55555712aea0 <ADehackedPickup::_StaticType>

(0022330) WaTaKiD (updater) 2022-08-31 17:56	this crash also seems to be reproducible with uprising.wad and can even crash windows servers, but only 64 bit (which as of writing doesnt give crash reports, but thatll be fixed in 3.2)

**Issue Community Support**
Only registered users can voice their support. Click here to register, or here to log in.
Supporters:	WaTaKiD
Opponents:	No one explicitly opposes this issue yet.

Issue Community Support

Only registered users can voice their support. Click here to register, or here to log in.

Supporters:

WaTaKiD

Opponents:

No one explicitly opposes this issue yet.

Issue History
Date Modified	Username	Field	Change
2022-02-17 10:51	Goat-Avenger	New Issue
2022-02-17 11:29	DrinkyBird	Note Added: 0022128
2022-02-17 12:50	Goat-Avenger	Note Added: 0022129
2022-02-17 14:52	WaTaKiD	Note Added: 0022130
2022-02-18 02:09	Goat-Avenger	Note Added: 0022131
2022-02-18 02:11	Goat-Avenger	Note Edited: 0022131	View Revisions
2022-02-18 02:20	Goat-Avenger	Note Edited: 0022131	View Revisions
2022-02-18 02:20	Goat-Avenger	Note Edited: 0022131	View Revisions
2022-02-18 02:23	Goat-Avenger	Note Edited: 0022131	View Revisions
2022-02-18 03:12	WaTaKiD	Note Added: 0022132
2022-02-18 03:16	WaTaKiD	Note Edited: 0022132	View Revisions
2022-02-18 04:17	Goat-Avenger	Note Added: 0022133
2022-02-18 04:40	WaTaKiD	Note Added: 0022134
2022-02-18 04:41	Goat-Avenger	Note Added: 0022135
2022-02-18 05:06	DrinkyBird	File Added: gdbspam.txt
2022-02-18 05:06	DrinkyBird	Note Added: 0022136
2022-02-18 05:08	DrinkyBird	Note Edited: 0022136	View Revisions
2022-02-18 05:21	DrinkyBird	File Added: asanspew.txt
2022-02-18 05:22	DrinkyBird	Note Edited: 0022136	View Revisions
2022-02-18 06:01	DrinkyBird	Note Edited: 0022136	View Revisions
2022-02-19 06:57	DrinkyBird	Status	new => confirmed
2022-02-20 05:36	Kaminsky	Product Version	=> 3.1
2022-02-20 05:36	Kaminsky	Target Version	=> 3.2
2022-08-31 17:56	WaTaKiD	Note Added: 0022330
2024-03-11 08:30	Kaminsky	Relationship added	related to 0004206