[PATCH 0/1] MR7038: d3dx9_36/tests: Fix logging of expected bytes in check_vertex_components. (ASan)
This appeared by running tests with PE-side ASan enabled.
``` ================================================================= ==1116==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffe1f8794 at pc 0x00014015dd3b bp 0x7ffffe1ef9b0 sp 0x7ffffe1ef9f8 READ of size 2 at 0x7ffffe1f8794 thread T0 04a0:fixme:file:server_get_file_info Unsupported info class e #0 0x00014015dd3a in check_vertex_components .../wine/dlls/d3dx9_36/tests/mesh.c:6858:137 #1 0x0001401173ef in test_weld_vertices .../wine/dlls/d3dx9_36/tests/mesh.c:8702:13 #2 0x0001401173ef in func_mesh .../wine/dlls/d3dx9_36/tests/mesh.c:11869:5 #3 0x000140224057 in run_test .../wine/include/wine/test.h:765:5 #4 0x000140224057 in main .../wine/include/wine/test.h:884:12 #5 0x000140225faf in mainCRTStartup .../wine/dlls/msvcrt/crt_main.c:58:11 #6 0x6ffffbfd4808 in BaseThreadInitThunk .../wine/dlls/kernel32\thread.c:61:5 #7 0x6ffffacefa1a in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x17000fa1a)
Address 0x7ffffe1f8794 is located in stack of thread T0 at offset 35796 in frame #0 0x0001400ead6f in func_mesh .../wine/dlls/d3dx9_36/tests/mesh.c:11843
This frame has 590 object(s): [32, 104) 'adjacency.i2700' (line 11782) [144, 216) 'adjacency_out.i' (line 11782) [256, 264) 'buffer.i' (line 11785) [288, 296) 'mesh.i2701' (line 11786) [320, 328) 'data.i' (line 11790) [352, 872) 'declaration.i2526' (line 11593) ... [34928, 34952) 'adjacency23.i' (line 7796) [34992, 35072) 'exp_vertices23.i' (line 7797) [35104, 35128) 'exp_indices23.i' (line 7806) [35168, 35176) 'exp_face_remap23.i' (line 7807) [35200, 35224) 'exp_vertex_remap23.i' (line 7808) [35264, 35384) 'vertices24.i' (line 7811) [35424, 35448) 'indices24.i' (line 7821) [35488, 35496) 'attributes24.i' (line 7822) [35520, 35588) 'epsilons24.i' (line 7826) [35632, 35656) 'adjacency24.i' (line 7827) [35696, 35796) 'exp_vertices24.i' (line 7828) <== Memory access at offset 35796 overflows this variable [35840, 35864) 'exp_indices24.i' (line 7837) [35904, 35912) 'exp_face_remap24.i' (line 7838) [35936, 35960) 'exp_vertex_remap24.i' (line 7839) [36000, 36120) 'vertices25.i' (line 7844) [36160, 36184) 'indices25.i' (line 7854) [36224, 36232) 'attributes25.i' (line 7855) [36256, 36324) 'epsilons25.i' (line 7859) [36368, 36392) 'adjacency25.i' (line 7860) [36432, 36532) 'exp_vertices25.i' (line 7861) [36576, 36600) 'exp_indices25.i' (line 7870) [36640, 36648) 'exp_face_remap25.i' (line 7871) ... [57216, 57276) 'vertex.i27' (line 536) [57312, 57316) 'got_rad.i' (line 537) [57328, 57340) 'got_max.i' (line 469) [57360, 57372) 'got_min.i' (line 469) [57392, 57452) 'vertex.i' (line 469) [57488, 57500) 'bottom_point.i' (line 376) [57520, 57532) 'center.i' (line 376) [57552, 57564) 'top_point.i' (line 376) [57584, 57596) 'raydirection.i' (line 376) [57616, 57628) 'rayposition.i' (line 376) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp, SEH and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow .../wine/dlls/d3dx9_36/tests/mesh.c:6858:137 in check_vertex_components Shadow bytes around the buggy address: 0x7ffffe1f8500: f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 0x7ffffe1f8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 0x7ffffe1f8600: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 0x7ffffe1f8680: 00 00 00 00 00 00 00 00 04 f2 f2 f2 f2 f2 00 00 0x7ffffe1f8700: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 =>0x7ffffe1f8780: 00 00[04]f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 0x7ffffe1f8800: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 0x7ffffe1f8880: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 0x7ffffe1f8900: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 0x7ffffe1f8980: 00 00 00 00 04 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x7ffffe1f8a00: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 04 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1116==ABORTING 04a0:fixme:kernelbase:AppPolicyGetProcessTerminationMethod FFFFFFFFFFFFFFFA, 00007FFFFEA8FE80 make: *** [Makefile:106354: dlls/d3dx9_36/tests/x86_64-windows/mesh.ok] Fehler 1 ```
From: Bernhard Übelacker bernhardu@mailbox.org
--- dlls/d3dx9_36/tests/mesh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/d3dx9_36/tests/mesh.c b/dlls/d3dx9_36/tests/mesh.c index 7164e31b0c8..ef472f00865 100644 --- a/dlls/d3dx9_36/tests/mesh.c +++ b/dlls/d3dx9_36/tests/mesh.c @@ -6854,7 +6854,7 @@ static void check_vertex_components(int line, int mesh_number, int vertex_number BOOL same = got[0] == exp[0] && got[1] == exp[1] && got[2] == exp[2] && got[3] == exp[3]; ok_(__FILE__,line)(same, "Mesh %d: Got (%hx, %hx, %hx, %hx) for vertex %d %s, expected (%hx, %hx, %hx, %hx).\n", - mesh_number, got[0], got[1], got[2], got[3], vertex_number, usage_strings[decl_ptr->Usage], exp[0], exp[1], exp[3], exp[4]); + mesh_number, got[0], got[1], got[2], got[3], vertex_number, usage_strings[decl_ptr->Usage], exp[0], exp[1], exp[2], exp[3]); break; } default:
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)