buffer overflow in vis stage
When compiling a map, vis stage crashes with asan:
$ /home/matthias/vcs/git/xonotic/netradiant/install/q3map2 -fs_forbiddenpath xonotic*-data*.pk3* -fs_forbiddenpath xonotic*-nexcompat*.pk3* -game xonotic -fs_basepath /home/matthias/vcs/git/xonotic -fs_basepath /tmp/xonotic-map-compiler._FbwNg -v -light -lightmapsize 1024 -lightmapsearchpower 4 -deluxe -patchshadows -randomsamples -samples 4 -fast -fastbounce -dirty -bouncegrid -fill -bounce 8 -dirtscale 2 -gamma 0.7 -sRGBtex -sRGBcolor -sRGBlight dance.map
Using timeout: 0
2.5.17n-git-c4db029
threads: 4
Q3Map - v1.0r (c) 1999 Id Software Inc.
Q3Map (ydnar) - v2.5.17n-git-c4db029
NetRadiant - v1.5.0n-git-c4db029 Mar 19 2017 11:25:37
Your map saw the pretty lights from q3map2's BFG
--- InitPaths ---
VFS Init: /home/matthias/.xonotic/data/
VFS Init: /home/matthias/vcs/git/xonotic/data/
VFS Init: /tmp/xonotic-map-compiler._FbwNg/data/
--- Light ---
--- ProcessGameSpecific ---
lightning model: quake3
lightmap size: 128 x 128 pixels
lightning gamma: 1.000000
lightmap colorspace: sRGB
texture colorspace: sRGB
_color colorspace: sRGB
lightning compensation: 1.000000
lightning exposure: 0.000000
lightgrid scale: 1.000000
lightgrid ambient scale: 1.000000
shader lightstyles hack: disabled
patch shadows: enabled
deluxemapping: enabled with modelspace deluxemaps
--- ProcessCommandLine ---
Default lightmap size set to 1024 x 1024 pixels
Storing all lightmaps externally
Restricted lightmap searching enabled - optimize for lightmap merge power 4 (size 2048)
Generating deluxemaps for average light direction
Patch shadow casting enabled
Random sampling enabled
Adaptive supersampling enabled with 4 sample(s) per lightmap texel
Fast mode enabled for all area lights
Fast bounce mode enabled
Dirtmapping enabled
Filling lightmap colors from surrounding pixels to improve JPEG compression
Radiosity enabled with 8 bounce(s)
Dirtmapping scale set to 2.0
Lighting gamma set to 0.700000
Textures are in sRGB
Colors are in sRGB
Lighting is in sRGB
Adaptive supersampling preset enabled with 256 random sample(s) per lightmap texel
Restricted lightmap searching enabled - block size adjusted to 4
Map has shader script /home/matthias/vcs/git/xonotic/data/xonotic-maps.pk3dir/maps/../scripts/q3map2_dance.shader
entering scripts/shaderlist.txt
entering scripts/shaderlist.txt (2)
entering scripts/shaderlist.txt (3)
entering scripts/alphamod.shader
entering scripts/common.shader
entering scripts/decals.shader
entering scripts/effects_beam.shader
entering scripts/effects_forcefield.shader
entering scripts/effects_healpod.shader
entering scripts/effects_item.shader
entering scripts/effects_jumppad.shader
entering scripts/effects_lightning.shader
entering scripts/effects_warpzone.shader
entering scripts/ex2x.shader
entering scripts/exomorphx.shader
entering scripts/exx.shader
entering scripts/facility114invx.shader
entering scripts/facility114x.shader
entering scripts/glassx.shader
entering scripts/liquids_lava.shader
entering scripts/liquids_slime.shader
entering scripts/liquids_water.shader
entering scripts/logos.shader
entering scripts/map_atelier.shader
entering scripts/map_boil.shader
entering scripts/map_catharsis.shader
entering scripts/map_courtfun.shader
entering scripts/map_darkzone.shader
entering scripts/map_erbium.shader
tools/quake3/q3map2/shaders.c:722:30: runtime error: index 3 out of bounds for type 'vec3_t' (aka 'vec_t [3]')
SUMMARY: AddressSanitizer: undefined-behavior tools/quake3/q3map2/shaders.c:722:30 in
entering scripts/map_geoplanetary.shader
entering scripts/map_glowplant.shader
entering scripts/map_implosion.shader
entering scripts/map_leave_em_behind.shader
entering scripts/map_oilrig.shader
entering scripts/map_silentsiege.shader
entering scripts/map_solarium.shader
entering scripts/map_space-elevator.shader
entering scripts/map_stormkeep.shader
entering scripts/map_techassault.shader
entering scripts/map_warfare.shader
entering scripts/map_xoylent.shader
entering scripts/metaltechx.shader
entering scripts/model_bigfan01.shader
entering scripts/model_crate02.shader
entering scripts/model_crystals.shader
entering scripts/model_desertfactory.shader
entering scripts/model_teleporters.shader
entering scripts/model_trak.shader
entering scripts/model_tree.shader
entering scripts/model_walker-static.shader
entering scripts/model_xonotic_jumppad01.shader
entering scripts/narmorx.shader
entering scripts/phillipk1x.shader
entering scripts/phillipk2x.shader
entering scripts/proceduralx.shader
entering scripts/screens.shader
entering scripts/skies_calm_sea.shader
entering scripts/skies_distant_sunset.shader
entering scripts/skies_exosystem2.shader
entering scripts/skies_exosystem.shader
entering scripts/skies_extragalactic.shader
entering scripts/skies_heaven.shader
entering scripts/skies_polluted_earth.shader
entering scripts/stein1x.shader
entering scripts/techpanelx.shader
entering scripts/terrain01x.shader
entering scripts/trak4x.shader
entering scripts/trak5x.shader
entering scripts/trak6x.shader
entering scripts/trak7x.shader
1266 shaderInfo
Loading /home/matthias/vcs/git/xonotic/data/xonotic-maps.pk3dir/maps/dance.map
Loading /home/matthias/vcs/git/xonotic/data/xonotic-maps.pk3dir/maps/dance.srf
libpng error: bad parameters to zlib
WARNING: An error occurred reading PNG image
=================================================================
==10527==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63200004692b at pc 0x00000052d332 bp 0x7ffebb269960 sp 0x7ffebb269958
READ of size 1 at 0x63200004692b thread T0
#0 0x52d331 in GetToken /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/common/scriplib.c:199:10
#1 0x57c264 in ParseEntity /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/q3map2/bspfile_abstract.c:537:8
#2 0x57bd84 in ParseEntities /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/q3map2/bspfile_abstract.c:578:10
#3 0x6cae73 in LightMain /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/q3map2/light.c:2971:2
#4 0x75ab29 in main /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/q3map2/main.c:230:7
#5 0x7f904e11a400 in __libc_start_main /usr/src/debug/glibc-2.24-33-ge9e69e4/csu/../csu/libc-start.c:289
#6 0x41cc79 in _start (/home/matthias/vcs/git/xonotic/netradiant/install/q3map2.x86_64+0x41cc79)
0x63200004692b is located 0 bytes to the right of 90411-byte region [0x632000030800,0x63200004692b)
allocated by thread T0 here:
#0 0x4c394e in realloc /home/matthias/LLVM/LLVM_4_0/stage_2/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79:3
#1 0x57abfd in CopyLump_Allocate /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/q3map2/bspfile_abstract.c:331:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/matthias/vcs/git/xonotic/netradiant/tools/quake3/common/scriplib.c:199:10 in GetToken
Shadow bytes around the buggy address:
0x0c6480000cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6480000ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6480000cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6480000d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c6480000d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c6480000d20: 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fa fa
0x0c6480000d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6480000d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6480000d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6480000d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c6480000d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10527==ABORTING