[Freeciv-Dev] (PR#9670) invalid read when seeting player love
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: |
undisclosed-recipients: ; |
Subject: |
[Freeciv-Dev] (PR#9670) invalid read when seeting player love |
From: |
"Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx> |
Date: |
Wed, 11 Aug 2004 09:15:26 -0700 |
Reply-to: |
rt@xxxxxxxxxxx |
<URL: http://rt.freeciv.org/Ticket/Display.html?id=9670 >
==5008== Invalid read of size 4
==5008== at 0x8087AFD: handle_player_info (packhand.c:1551)
==5008== by 0x808CA52: client_handle_packet (packhand_gen.c:147)
==5008== by 0x806F227: handle_packet_input (civclient.c:274)
==5008== by 0x8072E87: input_from_server (clinet.c:328)
==5008== by 0x80BB385: get_net_input (gui_main.c:1456)
==5008== by 0x1BC0E19A: (within /usr/lib/libgdk-x11-2.0.so.0.400.4)
==5008== by 0x1BD93F2E: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6E901: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6F9F7: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6FD2F: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD70372: g_main_loop_run (in
/usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BA36712: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.400.4)
==5008== by 0x80BA94E: ui_main (gui_main.c:1205)
==5008== by 0x806F1DA: main (civclient.c:245)
==5008== Address 0x1CB9D4C4 is 0 bytes after a block of size 972 alloc'd
==5008== at 0x1B904EDD: malloc (vg_replace_malloc.c:131)
==5008== by 0x80DECDA: fc_real_malloc (mem.c:79)
==5008== by 0x810EC5F: receive_packet_player_info_100
(packets_gen.c:8481)
==5008== by 0x81111F6: receive_packet_player_info (packets_gen.c:9328)
==5008== by 0x80F9ABD: get_packet_from_connection_helper
(packets_gen.c:168)
==5008== by 0x80F8DA3: get_packet_from_connection (packets.c:479)
==5008== by 0x8072E42: input_from_server (clinet.c:323)
==5008== by 0x80BB385: get_net_input (gui_main.c:1456)
==5008== by 0x1BC0E19A: (within /usr/lib/libgdk-x11-2.0.so.0.400.4)
==5008== by 0x1BD93F2E: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6E901: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6F9F7: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD6FD2F: (within /usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BD70372: g_main_loop_run (in
/usr/lib/libglib-2.0.so.0.400.5)
==5008== by 0x1BA36712: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.400.4)
==5008== by 0x80BA94E: ui_main (gui_main.c:1205)
==5008== by 0x806F1DA: main (civclient.c:245)
in this code:
for (i = 0; i < MAX_NUM_PLAYERS + MAX_NUM_BARBARIANS; i++) {
pplayer->ai.love[i] = pinfo->love[i];
}
the problem is the packet's love array only has MAX_NUM_PLAYERS entries.
So either the one must be made larger or the other smaller.
The same problem exists in the server, plrhand.c:1340. So I suggest
this patch to fix it.
P.S. If this array hadn't been the last item in the packet Valgrind
wouldn't have noticed this. I wonder if there are more such bugs out there?
jason
Index: common/packets.def
===================================================================
RCS file: /home/freeciv/CVS/freeciv/common/packets.def,v
retrieving revision 1.36
diff -u -r1.36 packets.def
--- common/packets.def 30 Jul 2004 20:40:49 -0000 1.36
+++ common/packets.def 11 Aug 2004 16:14:25 -0000
@@ -558,7 +558,7 @@
UINT8 barbarian_type;
uint32(unsigned int) gives_shared_vision;
BIT_STRING inventions[A_LAST+1];
- SINT16 love[MAX_NUM_PLAYERS];
+ SINT16 love[MAX_NUM_PLAYERS + MAX_NUM_BARBARIANS];
end
PACKET_PLAYER_TURN_DONE=40;cs
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Freeciv-Dev] (PR#9670) invalid read when seeting player love,
Jason Short <=
|
|