Ticket #42499

savegame3.c: Multiresearch load memory corruption

Date d'ouverture: 2021-06-09 18:24 Dernière mise à jour: 2022-01-19 04:05

5 - moyen
sg_load_researches() has a multiresearch related block, where it

1) first allocates memory for an int vector, but then immediately overwrites pointer to that memory by result of secfile_lookup_int_vec()

2) later it free() using that pointer. Results of secfile_lookup_...() should never be freed individually (they get freed when entire secfile is destroyed). The originally allocate memory (to which there remains no pointer to) never gets freed.

2021-06-09 18:24 Updated by: cazfi
2021-06-09 18:54 Updated by: cazfi

Also, it does not respect technology.order but assumes that ruleset has been unchanged since the game was saved.

2021-06-09 23:10 Updated by: cazfi
2021-06-18 15:07 Updated by: cazfi
2022-01-19 04:05 Updated by: None

Well, we finally found what was causing all our segfaults and it wasn't WYSIWYG's fault like we thought. It was this.

Things to notice: #4. tech= 219 ? The ruleset has 92 techs, 127 less than 219.

Core was generated by /home/freeciv/freeciv/bin/freeciv-web --debug 1 --port 6023 --Announce none --e'. Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory. #0 strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 #1 0x0000557e54882329 in real_fc_strdup (

str=str@entry=0x40 <error: Cannot access memory at address 0x40>, called_as=called_as@entry=0x557e548e4bbe "strdup", line=line@entry=3127, file=file@entry=0x557e54952ff8 "../../freeciv/utility/registry_ini.c") at ../../freeciv/utility/mem.c:149

#2 0x0000557e5488a301 in section_entry_str_new (escaped=255, value=<optimized out>,

name=<optimized out>, psection=0x557e5861dd50) at ../../freeciv/utility/registry_ini.c:3127

#3 secfile_insert_str_full (secfile=secfile@entry=0x557e573e6d60, str=<optimized out>,

comment=comment@entry=0x0, allow_replace=allow_replace@entry=false, no_escape=no_escape@entry=false, stype=stype@entry=EST_NORMAL, path=0x7ffcf3977fa0 "research.r%d.saved_name") at ../../freeciv/utility/registry_ini.c:1266

#4 0x0000557e54749eb1 in technology_save (tech=219, plrno=0,

path=0x557e5491d713 "research.r%d.saved", file=0x557e573e6d60) at ../../../freeciv/server/savegame/savegame3.c:1325

#5 sg_save_researches (saving=<optimized out>, saving=<optimized out>)

at ../../../freeciv/server/savegame/savegame3.c:7271

#6 savegame3_save_real (file=<optimized out>,

save_reason=save_reason@entry=0x557e548e5762 "Timer", scenario=<optimized out>) at ../../../freeciv/server/savegame/savegame3.c:596

#7 0x0000557e5474c05d in savegame3_save (sfile=<optimized out>,

save_reason=save_reason@entry=0x557e548e5762 "Timer", scenario=scenario@entry=false) at ../../../freeciv/server/savegame/savegame3.c:426

#8 0x0000557e5467e91b in savegame_save (scenario=false,

save_reason=0x557e548e5762 "Timer", sfile=<optimized out>) at ../../../freeciv/server/savegame/savemain.c:99

#9 save_game (orig_filename=orig_filename@entry=0x7ffcf3978620 "freeciv-timer",

save_reason=save_reason@entry=0x557e548e5762 "Timer", scenario=scenario@entry=false)

at ../../../freeciv/server/savegame/savemain.c:192

#10 0x0000557e54635dcf in save_game_auto (

save_reason=save_reason@entry=0x557e548e5762 "Timer", type=type@entry=AS_TIMER) at ../../freeciv/server/srv_main.c:1846

#11 0x0000557e54636d46 in save_game_auto (

save_reason=save_reason@entry=0x557e548e5762 "Timer", type=type@entry=AS_TIMER) at ../../freeciv/server/srv_main.c:1816

#12 0x0000557e5470abed in server_sniff_all_input () at ../../freeciv/server/sernet.c:721 #13 0x0000557e5463a785 in srv_running () at ../../freeciv/server/srv_main.c:3015 #14 srv_main () at ../../freeciv/server/srv_main.c:3631 #15 0x0000557e5462ec9d in main (argc=22, argv=0x7ffcf39793f8)

at ../../freeciv/server/civserver.c:481


