Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing OS.get_screen_position() crashes Godot #46185

Closed
qarmin opened this issue Feb 18, 2021 · 0 comments · Fixed by #46517
Closed

Executing OS.get_screen_position() crashes Godot #46185

qarmin opened this issue Feb 18, 2021 · 0 comments · Fixed by #46517
Labels
bug crash good first issue topic:porting
Milestone
4.0

Comments

@qarmin
Copy link
Contributor

qarmin commented Feb 18, 2021

Godot version:
Godot 3.2.4 rc 2

OS
Ubuntu 20.04 - Ubuntu 3.36 X11

Issue description:
Executing

func _process(_delta : float) -> void:

	if randi() % 2 == 0:
		print("Executing OS::get_screen_position")

		OS.get_screen_position((randi() % int(100)) - int(100 / 2.0))

address sanitizer shows this info

==136839==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030002935ba at pc 0x00000175fbd0 bp 0x7ffeaf4d1050 sp 0x7ffeaf4d1040
READ of size 2 at 0x6030002935ba thread T0
    #0 0x175fbcf in OS_X11::get_screen_position(int) const platform/x11/os_x11.cpp:1214
    #1 0x11f3ffcf in _OS::get_screen_position(int) const core/bind/core_bind.cpp:316
    #2 0xde3b06e in MethodBind1RC<Vector2, int>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:1333
    #3 0x1143c6b7 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:919
    #4 0x116bdb81 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1129
    #5 0x1d88805 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1086
    #6 0x1bb8a70 in GDScriptInstance::call_multilevel(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1254
    #7 0xbfa5103 in Node::_notification(int) scene/main/node.cpp:60
    #8 0x1a65a17 in Node::_notificationv(int, bool) scene/main/node.h:46
    #9 0x1a67e8c in CanvasItem::_notificationv(int, bool) scene/2d/canvas_item.h:166
    #10 0xda83db0 in Node2D::_notificationv(int, bool) scene/2d/node_2d.h:38
    #11 0x1143cb51 in Object::notification(int, bool) core/object.cpp:929
    #12 0xc0d2559 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:988
    #13 0xc0c2e1b in SceneTree::idle(float) scene/main/scene_tree.cpp:528
    #14 0x18cbf18 in Main::iteration() main/main.cpp:2113
    #15 0x17b7316 in OS_X11::run() platform/x11/os_x11.cpp:3634
    #16 0x1724f66 in main platform/x11/godot_x11.cpp:56
    #17 0x7f68abcae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #18 0x1724b7d in _start (/usr/bin/godots+0x1724b7d)

0x6030002935ba is located 6 bytes to the left of 24-byte region [0x6030002935c0,0x6030002935d8)
freed by thread T0 here:
    #0 0x7f68ace271b7 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xb01b7)
    #1 0x11979b56 in Memory::free_static(void*, bool) core/os/memory.cpp:178
    #2 0x9507bca in CowData<Node*>::_unref(void*) core/cowdata.h:213
    #3 0x94f9004 in CowData<Node*>::~CowData() core/cowdata.h:377
    #4 0x94f225a in Vector<Node*>::~Vector() core/vector.h:126
    #5 0xc0d2974 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:970
    #6 0xc0bfee9 in SceneTree::iteration(float) scene/main/scene_tree.cpp:480
    #7 0x18caae5 in Main::iteration() main/main.cpp:2090
    #8 0x17b7316 in OS_X11::run() platform/x11/os_x11.cpp:3634
    #9 0x1724f66 in main platform/x11/godot_x11.cpp:56
    #10 0x7f68abcae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7f68ace27517 in malloc (/lib/x86_64-linux-gnu/libasan.so.6+0xb0517)
    #1 0x11978c49 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:82
    #2 0x9516a9a in CowData<Node*>::_copy_on_write() core/cowdata.h:228
    #3 0x950f27c in CowData<Node*>::ptrw() core/cowdata.h:117
    #4 0x950108c in Vector<Node*>::ptrw() core/vector.h:75
    #5 0xc0d1c90 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:973
    #6 0xc0bfee9 in SceneTree::iteration(float) scene/main/scene_tree.cpp:480
    #7 0x18caae5 in Main::iteration() main/main.cpp:2090
    #8 0x17b7316 in OS_X11::run() platform/x11/os_x11.cpp:3634
    #9 0x1724f66 in main platform/x11/godot_x11.cpp:56
    #10 0x7f68abcae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow platform/x11/os_x11.cpp:1214 in OS_X11::get_screen_position(int) const
pdfrod added a commit to pdfrod/godot that referenced this issue Feb 28, 2021
@pdfrod
Fix out of bounds array access on DisplayServerX11 code
1cb21b6 
The problem happened on methods `screen_get_position`,
`screen_get_usable_rect` and `window_set_current_screen` when they were
passed a negative screen value.

Fixes:
- godotengine#46184
- godotengine#46185
- godotengine#46186
@pdfrod pdfrod mentioned this issue Feb 28, 2021
Merged
pdfrod added a commit to pdfrod/godot that referenced this issue Feb 28, 2021
@pdfrod
Fix out of bounds array access on OS_X11 code
66da113 
The problem happened on methods `get_screen_position`, `get_screen_size`
and `set_current_screen` when they were passed a negative screen value.

Fixes:
- godotengine#46184
- godotengine#46185
- godotengine#46186
@pdfrod pdfrod mentioned this issue Feb 28, 2021
Merged
@akien-mga akien-mga added this to the 4.0 milestone Feb 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug crash good first issue topic:porting
Projects
None yet
Milestone
4.0
Development

Successfully merging a pull request may close this issue.

Fix out of bounds array access on DisplayServerX11 code pdfrod/godot
2 participants
@akien-mga @qarmin