Duke3D: crash at A_DamageWall_Internal
Steps to reproduce:
- Load attached save file.
- Shoot at the crack on the wall.
- Crash happens every time the wall explodes.
Logs:
0,2772s INFO| EDuke32 r10364-c257d5a65
0,2773s INFO| Built Aug 27 2023 10:43:54, clang 14.0.0 , 64-bit
...
source/duke3d/src/sector.cpp:1567:10: runtime error: index -1 out of bounds for type 'tiledata_t[30720]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/duke3d/src/sector.cpp:1567:10 in
=================================================================
==426411==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5555580a34b8 at pc 0x5555563fc059 bp 0x7fffffffcef0 sp 0x7fffffffcee8
READ of size 4 at 0x5555580a34b8 thread T0
[Detaching after fork from child process 426947]
#0 0x5555563fc058 in A_DamageWall_Internal eduke32/source/duke3d/src/sector.cpp:1567:36
#1 0x555555f631f3 in A_RadiusDamage eduke32/source/duke3d/src/actors.cpp:386:25
#2 0x555556056bfc in G_MoveStandables() eduke32/source/duke3d/src/actors.cpp:2500:25
#3 0x555555f912a0 in G_MoveWorld eduke32/source/duke3d/src/actors.cpp:9346:9
#4 0x555556144e71 in G_DoMoveThings eduke32/source/duke3d/src/game.cpp:7343:9
#5 0x55555613eec5 in app_main eduke32/source/duke3d/src/game.cpp:7128:25
#6 0x5555569a9dc1 in main eduke32/source/build/src/sdlayer.cpp:568:19
#7 0x7ffff7460d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7ffff7460e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#9 0x555555e9a4a4 in _start ( eduke32/eduke32+0x9464a4) (BuildId: 340a921f9d3d660d)
0x5555580a34b8 is located 8 bytes to the left of global variable 'g_tile' defined in 'source/duke3d/src/global.h:73:21' (0x5555580a34c0) of size 1228800
0x5555580a34b8 is located 61432 bytes to the right of global variable 'g_tileLabels' defined in 'source/duke3d/src/global.h:72:16' (0x5555580584c0) of size 245760
SUMMARY: AddressSanitizer: global-buffer-overflow eduke32/source/duke3d/src/sector.cpp:1567:36 in A_DamageWall_Internal
Shadow bytes around the buggy address:
0x0aab2b00c640: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b00c650: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b00c660: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b00c670: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b00c680: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0aab2b00c690: f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 00 00 00 00
0x0aab2b00c6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2b00c6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2b00c6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2b00c6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2b00c6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==426411==ABORTING
Sorry if I'm being annoying with all the issues