Crash in ESM reader when NPC record has DNAM record without DODT one
I was bored, so I fuzzed a bit esmtool
, and found the following crash, that looks like a NULL-deref:
jvoisin@grimhilde 17:03 ~/dev/openmw gdb --args ./esmtool dump my_file
Reading symbols from ./esmtool...done.
gdb-peda$ r
Starting program: /home/jvoisin/dev/openmw/esmtool dump finding_dirs/crashes/id:000008,sig:11,src:000077,op:flip1,pos:984
[Thread debugging using libthread_db enabled]
Author: Melchior Dahrk
Description:
File format version: 1.3
Masters:
Morrowind.esm, 79837557 bytes
Tribunal.esm, 4565686 bytes
Bloodmoon.esm, 9631798 bytes
MD_Azurian Isles.esm, 18181187 bytes
Record: NPC_ 'az_NPC_az_slums_m_01'
Name: Bog-Ku
Animation: base_animKnA.nif
Hair Model: _ash_arg_feather06
Head Model:
Race: b_n_argonian_m_head_03
Class: Thief
Flags: Unknown Autocalc (0x00000018)
Level: 12
Reputation: 0
Disposition: 50
Rank: 0
Gold: 0
Inventory: Count: 1 Item: steel tanto
Inventory: Count: 1 Item: common_shirt_02
Inventory: Count: 1 Item: common_pants_03_c
Inventory: Count: 3 Item: az_rand_Misc_small
Artifical Intelligence: 1
AI Hello:30
AI Fight:30
AI Flee:30
AI Alarm:40
AI U1:0
AI U2:0
AI U3:0
AI U4:0
AI Services:0x00000000
AI Type: Wander (0x575F4941)
Distance: 0
Duration: 5
Time of Day: 0
Idle: 60 20 10 0 0 0 0 0
Deleted: 0
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffd870 --> 0x7fffffffd880 ("Re Heshr")
RBX: 0x5555559e1108 --> 0x0
RCX: 0x7fffffffd880 ("Re Heshr")
RDX: 0x8
RSI: 0x7fffffffd880 ("Re Heshr")
RDI: 0x0
RBP: 0x7fffffffd870 --> 0x7fffffffd880 ("Re Heshr")
RSP: 0x7fffffffd860 --> 0x3000000000000000 ('')
RIP: 0x555555794255 (<ESM::Transport::add(ESM::ESMReader&)+1301>: mov rdx,QWORD PTR [rdi-0x20])
R8 : 0x5555559d4840 ("Re Heshr")
R9 : 0x8d
R10: 0x5555559d4840 ("Re Heshr")
R11: 0x0
R12: 0x7fffffffd9c0 --> 0x7fffffffd9d0 --> 0x0
R13: 0x0
R14: 0x7fffffffd9d0 --> 0x0
R15: 0x5555559e1258 --> 0xaaaaaaaaaaaaaa00
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555579424a <ESM::Transport::add(ESM::ESMReader&)+1290>: mov rdi,QWORD PTR [rbx+0x8]
0x55555579424e <ESM::Transport::add(ESM::ESMReader&)+1294>: lea rsi,[rbp+0x10]
0x555555794252 <ESM::Transport::add(ESM::ESMReader&)+1298>: cmp rcx,rsi
=> 0x555555794255 <ESM::Transport::add(ESM::ESMReader&)+1301>: mov rdx,QWORD PTR [rdi-0x20]
0x555555794259 <ESM::Transport::add(ESM::ESMReader&)+1305>: lea r8,[rdi-0x10]
0x55555579425d <ESM::Transport::add(ESM::ESMReader&)+1309>: je 0x5555557944b0 <ESM::Transport::add(ESM::ESMReader&)+1904>
0x555555794263 <ESM::Transport::add(ESM::ESMReader&)+1315>: nop
0x555555794264 <ESM::Transport::add(ESM::ESMReader&)+1316>: lea rsp,[rsp-0x98]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd860 --> 0x3000000000000000 ('')
0008| 0x7fffffffd868 --> 0x165f73f78047c200
0016| 0x7fffffffd870 --> 0x7fffffffd880 ("Re Heshr")
0024| 0x7fffffffd878 --> 0x8
0032| 0x7fffffffd880 ("Re Heshr")
0040| 0x7fffffffd888 --> 0x7fffffffd900 --> 0x5555559e1108 --> 0x0
0048| 0x7fffffffd890 --> 0x0
0056| 0x7fffffffd898 --> 0x7fffffffd9d0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator= (__str=..., this=0xffffffffffffffe0)
at /usr/include/c++/7/bits/basic_string.h:725
725 if (!_M_is_local() && _Alloc_traits::_S_propagate_on_move_assign()
gdb-peda$ bt
#0 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator= (__str=..., this=0xffffffffffffffe0)
at /usr/include/c++/7/bits/basic_string.h:725
#1 ESM::Transport::add (this=this@entry=0x5555559e1108, esm=...) at /home/jvoisin/dev/openmw/components/esm/transport.cpp:19
#2 0x000055555572d8bd in ESM::NPC::load (this=0x5555559e1088, esm=..., isDeleted=@0x5555559e1258: 0x0)
at /home/jvoisin/dev/openmw/components/esm/loadnpc.cpp:102
#3 0x0000555555588efa in load (info=...) at /home/jvoisin/dev/openmw/apps/esmtool/esmtool.cpp:375
#4 0x0000555555580c30 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe2e8) at /home/jvoisin/dev/openmw[my_file](/uploads/f1b591bf7e1012a25616fa5af7ba5c29/my_file)/apps/esmtool/esmtool.cpp:221
#5 0x00007ffff6c26b97 in __libc_start_main (main=0x555555580b20 <main(int, char**)>, argc=0x3, argv=0x7fffffffe2e8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2d8) at ../csu/libc-start.c:310
#6 0x00005555555862fa in _start ()
gdb-peda$ quit
Edited by Andrei Kortunov