Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing NoiseTexture._generate_texture crashes Godot #61044

Closed
qarmin opened this issue May 15, 2022 · 2 comments · Fixed by #70919
Closed

Executing NoiseTexture._generate_texture crashes Godot #61044

qarmin opened this issue May 15, 2022 · 2 comments · Fixed by #70919
Assignees
@Geometror
Labels
bug crash topic:core
Milestone
4.0

Comments

@qarmin
Copy link
Contributor

qarmin commented May 15, 2022

Godot version

4.0.alpha.custom_build. 516ec89

System information

Ubuntu 22.04 - Nvidia GTX 970, Gnome shell 42 X11

Issue description

When executing

	var temp_variable8808 = NoiseTexture.new()
	temp_variable8808.set_noise(FastNoiseLite.new())
	temp_variable8808.set_seamless(true)
	temp_variable8808.set_width(1)
	temp_variable8808._generate_texture()

Godot crashes with this backtrace

==13003==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900039f790 at pc 0x0000072127c3 bp 0x7ffe55ca3bd0 sp 0x7ffe55ca3bc0
READ of size 1 at 0x61900039f790 thread T0
    #0 0x72127c2 in Ref<Image> Noise::_generate_seamless_image<unsigned char>(Ref<Image>, int, int, bool, float) const modules/noise/noise.h:182
    #1 0x720d9e2 in Noise::get_seamless_image(int, int, bool, bool, float) const modules/noise/noise.cpp:44
    #2 0x72396ea in NoiseTexture::_generate_texture() modules/noise/noise_texture.cpp:158
    #3 0x7268b73 in void call_with_variant_args_ret_helper<__UnexistingClass, Ref<Image>>(__UnexistingClass*, Ref<Image> (__UnexistingClass::*)(), Variant const**, Variant&, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:654
    #4 0x7263032 in void call_with_variant_args_ret_dv<__UnexistingClass, Ref<Image>>(__UnexistingClass*, Ref<Image> (__UnexistingClass::*)(), Variant const**, int, Variant&, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:467
    #5 0x725b8b8 in MethodBindTR<Ref<Image>>::call(Object*, Variant const**, int, Callable::CallError&) core/object/method_bind.h:495
    #6 0x1afc564f in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:838
    #7 0x1a6b2673 in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1021
    #8 0x8fdb312 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1545
    #9 0x8a76ff7 in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1543
    #10 0x110a8dbb in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:235
    #11 0x1100f56e in Node::_notification(int) scene/main/node.cpp:56
    #12 0x34034e3 in Node::_notificationv(int, bool) scene/main/node.h:45
    #13 0x1afc5a5f in Object::notification(int, bool) core/object/object.cpp:847
    #14 0x11161a0d in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:855
    #15 0x111544fd in SceneTree::process(double) scene/main/scene_tree.cpp:454
    #16 0x25ab314 in Main::iteration() main/main.cpp:2745
    #17 0x240f211 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:441
    #18 0x23f7d7b in main platform/linuxbsd/godot_linuxbsd.cpp:68
    #19 0x7f2a2e50fd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #20 0x7f2a2e50fe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #21 0x23f782d in _start (/usr/bin/godot4s+0x23f782d)

0x61900039f790 is located 0 bytes to the right of 1040-byte region [0x61900039f380,0x61900039f790)
allocated by thread T0 here:
    #0 0x7f2a2f1ae868 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x19b5c335 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x34e6e9d in CowData<unsigned char>::resize(int) core/templates/cowdata.h:287
    #3 0x34206f0 in Vector<unsigned char>::resize(int) core/templates/vector.h:91
    #4 0x720de15 in Noise::get_image(int, int, bool, bool) const modules/noise/noise.cpp:63
    #5 0x720d826 in Noise::get_seamless_image(int, int, bool, bool, float) const modules/noise/noise.cpp:41
    #6 0x72396ea in NoiseTexture::_generate_texture() modules/noise/noise_texture.cpp:158
    #7 0x7268b73 in void call_with_variant_args_ret_helper<__UnexistingClass, Ref<Image>>(__UnexistingClass*, Ref<Image> (__UnexistingClass::*)(), Variant const**, Variant&, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:654
    #8 0x7263032 in void call_with_variant_args_ret_dv<__UnexistingClass, Ref<Image>>(__UnexistingClass*, Ref<Image> (__UnexistingClass::*)(), Variant const**, int, Variant&, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:467
    #9 0x725b8b8 in MethodBindTR<Ref<Image>>::call(Object*, Variant const**, int, Callable::CallError&) core/object/method_bind.h:495
    #10 0x1afc564f in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:838
    #11 0x1a6b2673 in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1021
    #12 0x8fdb312 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1545
    #13 0x8a76ff7 in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1543
    #14 0x110a8dbb in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:235
    #15 0x1100f56e in Node::_notification(int) scene/main/node.cpp:56
    #16 0x34034e3 in Node::_notificationv(int, bool) scene/main/node.h:45
    #17 0x1afc5a5f in Object::notification(int, bool) core/object/object.cpp:847
    #18 0x11161a0d in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:855
    #19 0x111544fd in SceneTree::process(double) scene/main/scene_tree.cpp:454
    #20 0x25ab314 in Main::iteration() main/main.cpp:2745
    #21 0x240f211 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:441
    #22 0x23f7d7b in main platform/linuxbsd/godot_linuxbsd.cpp:68
    #23 0x7f2a2e50fd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-buffer-overflow modules/noise/noise.h:182 in Ref<Image> Noise::_generate_seamless_image<unsigned char>(Ref<Image>, int, int, bool, float) const

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Steps to reproduce

Above

Minimal reproduction project

No response
@Klowner
Copy link
Contributor

Klowner commented Oct 31, 2022

Can't reproduce in current master (e22a1d8)
(Changed NoiseTexture to NoiseTexture2D to make example work)

@qarmin
Copy link
Contributor Author

qarmin commented Oct 31, 2022

Problem still happens with 4.0.beta.custom_build. c51a427 and looks that sanitizer build is required to see it

	var temp_variable8808 = NoiseTexture2D.new()
	temp_variable8808.set_noise(FastNoiseLite.new())
	temp_variable8808.set_seamless(true)
	temp_variable8808.set_width(1)
	temp_variable8808._generate_texture()

@Geometror Geometror self-assigned this Dec 27, 2022
@Geometror Geometror mentioned this issue Jan 4, 2023
Merged
@akien-mga akien-mga added this to the 4.0 milestone Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Geometror Geometror

Labels
bug crash topic:core
Projects
None yet
Milestone
4.0
Development

Successfully merging a pull request may close this issue.

Add tests for FastNoiseLite/NoiseTexture Geometror/godot
4 participants
@Klowner @akien-mga @qarmin @Geometror