Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing AudioStreamMP3.set_data crashes Godot #78414

Closed
Tracked by #76797
qarmin opened this issue Jun 18, 2023 · 2 comments
Closed
Tracked by #76797

Executing AudioStreamMP3.set_data crashes Godot #78414

qarmin opened this issue Jun 18, 2023 · 2 comments
Labels
bug crash topic:audio

Comments

@qarmin
Copy link
Contributor

qarmin commented Jun 18, 2023

Godot version

4.1.beta.custom_build. a83eb16

System information

Ubuntu 22.04 CI

Issue description

When executing

extends Node
func _process(delta):

	var temp_variable4159 = AudioStreamMP3.new()
	temp_variable4159.set_loop_offset(-59.8713487386703)
	temp_variable4159.connect(StringName(""), Callable(BoxMesh.new(),""), 89)
	temp_variable4159.set_data(PackedByteArray([239, 34, 206, 191, 246, 208, 97, 192, 89, 248, 169, 77, 185, 44, 47, 253, 22, 36, 218, 195, 78, 83, 158, 202, 91]))

Godot crashes:

 ######################## Ending test ########################
ERROR: Method argument to Callable constructor must be a non-empty string
   at: Callable (core/variant/callable.cpp:341)
ERROR: Cannot connect to '': the provided callable is null.
   at: connect (core/object/object.cpp:1255)
=================================================================
==18062==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd8c9615c0 at pc 0x7f36b9671c23 bp 0x7ffd8c95e850 sp 0x7ffd8c95dff8
WRITE of size 16064 at 0x7ffd8c9615c0 thread T0
    #0 0x7f36b9671c22 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
    #1 0x56149d9742c7 in mp3dec_ex_open_buf thirdparty/minimp3/minimp3_ex.h:681
    #2 0x56149d92c35c in AudioStreamMP3::set_data(Vector<unsigned char> const&) modules/minimp3/audio_stream_mp3.cpp:187
    #3 0x56149d94695d in void call_with_variant_args_helper<__UnexistingClass, Vector<unsigned char> const&, 0ul>(__UnexistingClass*, void (__UnexistingClass::*)(Vector<unsigned char> const&), Variant const**, Callable::CallError&, IndexSequence<0ul>) core/variant/binder_common.h:303
    #4 0x56149d945499 in void call_with_variant_args_dv<__UnexistingClass, Vector<unsigned char> const&>(__UnexistingClass*, void (__UnexistingClass::*)(Vector<unsigned char> const&), Variant const**, int, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:450
    #5 0x56149d9439ec in MethodBindT<Vector<unsigned char> const&>::call(Object*, Variant const**, int, Callable::CallError&) const core/object/method_bind.h:331
    #6 0x5614b4aa1caa in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:739
    #7 0x5614b3ece2e6 in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1174
    #8 0x56149bb9c8b9 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1662
    #9 0x56149b495acc in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1791
    #10 0x5614a8ed8a50 in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:318
    #11 0x5614a8e135d4 in Node::_notification(int) scene/main/node.cpp:56
    #12 0x56149a18e771 in Node::_notificationv(int, bool) scene/main/node.h:49
    #13 0x5614b4aa31fe in Object::notification(int, bool) core/object/object.cpp:796
    #14 0x5614a8fc69a1 in SceneTree::_process_group(SceneTree::ProcessGroup*, bool) scene/main/scene_tree.cpp:939
    #15 0x5614a8fc9efe in SceneTree::_process(bool) scene/main/scene_tree.cpp:1019
    #16 0x5614a8fb7e43 in SceneTree::process(double) scene/main/scene_tree.cpp:504
    #17 0x5614998423fa in Main::iteration() main/main.cpp:3420
    #18 0x56149957347b in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:912
    #19 0x56149954e9b7 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #20 0x7f36b8d1dd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #21 0x7f36b8d1de3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #22 0x56149954e364 in _start (/home/runner/work/Qarminer/Qarminer/godot.linuxbsd.editor.dev.x86_64.san+0x3a3d5364)

Address 0x7ffd8c9615c0 is located in stack of thread T0 at offset 11488 in frame
    #0 0x56149d92c1c3 in AudioStreamMP3::set_data(Vector<unsigned char> const&) modules/minimp3/audio_stream_mp3.cpp:182

  This frame has 1 object(s):
    [32, 11488) 'mp3d' (line 186) <== Memory access at offset 11488 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Memory leaks or asan backtraces are visibe when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

Above
@MJacred MJacred mentioned this issue Aug 16, 2023
Open
@jsjtxietian
Copy link
Contributor

Tested on master, looks like it has a valid error message and did not crash now.
image

@qarmin
Copy link
Contributor Author

qarmin commented Nov 3, 2023

No longer crashes

@qarmin qarmin closed this as completed Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug crash topic:audio
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsjtxietian @qarmin