Complete.Org: Mailing Lists: Archives: freeciv-dev: August 2004:
[Freeciv-Dev] (PR#9670) invalid read when seeting player love
Home

[Freeciv-Dev] (PR#9670) invalid read when seeting player love

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: undisclosed-recipients: ;
Subject: [Freeciv-Dev] (PR#9670) invalid read when seeting player love
From: "Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Aug 2004 09:15:26 -0700
Reply-to: rt@xxxxxxxxxxx

<URL: http://rt.freeciv.org/Ticket/Display.html?id=9670 >

==5008== Invalid read of size 4
==5008==    at 0x8087AFD: handle_player_info (packhand.c:1551)
==5008==    by 0x808CA52: client_handle_packet (packhand_gen.c:147)
==5008==    by 0x806F227: handle_packet_input (civclient.c:274)
==5008==    by 0x8072E87: input_from_server (clinet.c:328)
==5008==    by 0x80BB385: get_net_input (gui_main.c:1456)
==5008==    by 0x1BC0E19A: (within /usr/lib/libgdk-x11-2.0.so.0.400.4)
==5008==    by 0x1BD93F2E: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6E901: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6F9F7: g_main_context_dispatch (in 
/usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6FD2F: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD70372: g_main_loop_run (in 
/usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BA36712: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.400.4)
==5008==    by 0x80BA94E: ui_main (gui_main.c:1205)
==5008==    by 0x806F1DA: main (civclient.c:245)
==5008==  Address 0x1CB9D4C4 is 0 bytes after a block of size 972 alloc'd
==5008==    at 0x1B904EDD: malloc (vg_replace_malloc.c:131)
==5008==    by 0x80DECDA: fc_real_malloc (mem.c:79)
==5008==    by 0x810EC5F: receive_packet_player_info_100 
(packets_gen.c:8481)
==5008==    by 0x81111F6: receive_packet_player_info (packets_gen.c:9328)
==5008==    by 0x80F9ABD: get_packet_from_connection_helper 
(packets_gen.c:168)
==5008==    by 0x80F8DA3: get_packet_from_connection (packets.c:479)
==5008==    by 0x8072E42: input_from_server (clinet.c:323)
==5008==    by 0x80BB385: get_net_input (gui_main.c:1456)
==5008==    by 0x1BC0E19A: (within /usr/lib/libgdk-x11-2.0.so.0.400.4)
==5008==    by 0x1BD93F2E: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6E901: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6F9F7: g_main_context_dispatch (in 
/usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD6FD2F: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BD70372: g_main_loop_run (in 
/usr/lib/libglib-2.0.so.0.400.5)
==5008==    by 0x1BA36712: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.400.4)
==5008==    by 0x80BA94E: ui_main (gui_main.c:1205)
==5008==    by 0x806F1DA: main (civclient.c:245)


in this code:

   for (i = 0; i < MAX_NUM_PLAYERS + MAX_NUM_BARBARIANS; i++) {
     pplayer->ai.love[i] = pinfo->love[i];
   }

the problem is the packet's love array only has MAX_NUM_PLAYERS entries. 
  So either the one must be made larger or the other smaller.

The same problem exists in the server, plrhand.c:1340.  So I suggest 
this patch to fix it.

P.S.  If this array hadn't been the last item in the packet Valgrind 
wouldn't have noticed this.  I wonder if there are more such bugs out there?

jason

Index: common/packets.def
===================================================================
RCS file: /home/freeciv/CVS/freeciv/common/packets.def,v
retrieving revision 1.36
diff -u -r1.36 packets.def
--- common/packets.def  30 Jul 2004 20:40:49 -0000      1.36
+++ common/packets.def  11 Aug 2004 16:14:25 -0000
@@ -558,7 +558,7 @@
   UINT8 barbarian_type;
   uint32(unsigned int) gives_shared_vision;
   BIT_STRING inventions[A_LAST+1];
-  SINT16 love[MAX_NUM_PLAYERS];
+  SINT16 love[MAX_NUM_PLAYERS + MAX_NUM_BARBARIANS];
 end
 
 PACKET_PLAYER_TURN_DONE=40;cs

[Prev in Thread] Current Thread [Next in Thread]
  • [Freeciv-Dev] (PR#9670) invalid read when seeting player love, Jason Short <=