Ubuntu
ioquake3 package

yakkety ioquake3 SEGV in variable handling code

Bug #1653007 reported by Chad Miller
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ioquake3 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Problem exists in 1.36+u20160616+dfsg1-1

It does not exist in 1.36+u20160122+dfsg1-1

It's not specific to the sv_fps variable. Others will cause it too. sv_fps is merely a very early one to cause a crash.

It's a pointer to a structure. It goes from

value NULL,
to 0x5555561a1518
to 0x555500000015
to 0xffffffff00000015
to 0x100000015
and then crashes on deref later.

(gdb) watch sv_fps

Hardware watchpoint 1: sv_fps

(gdb) r

Starting program: ioquake3-1.36+u20160616+dfsg1/debian/ioquake3/usr/lib/ioquake3/ioquake3 ioquake3 +set com_basegame baseoa +set fs_basepath /usr/lib/openarena +set com_homepath .openarena +set com_legacyprotocol 71 +set com_protocol 71 +set sv_master1 dpmaster.deathmask.net +set cl_motd 0

Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x0
New value = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>
SV_Init () at code/server/sv_init.c:673
673 sv_timeout = Cvar_Get ("sv_timeout", "200", CVAR_TEMP );

(gdb) disp sv_fps
1: sv_fps = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>

(gdb) c

Continuing.

Loading DLL file /usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so instead.
Loading DLL file: /usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so
Sys_LoadGameDll(/usr/lib/openarena/baseoa/pak6-patch088/qagamex86_64.so) found vmMain function at 0x7fffdce92314
------- Game Initialization -------
gamename: baseoa
gamedate: Jun 27 2016
tty]
Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x5555561a1518 <cvar_indexes+2520>
New value = (cvar_t *) 0x555500000015
Cvar_Register (vmCvar=0x555555d34a68 <sv_fps>, varName=0x7fffdcf12242 "sv_fps", defaultValue=0x7fffdcf12303 "20", flags=9) at code/qcommon/cvar.c:1346
1346 vmCvar->modificationCount = -1;
1: sv_fps = (cvar_t *) 0x555500000015

(gdb) n

Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0x555500000015
New value = (cvar_t *) 0xffffffff00000015
Cvar_Register (vmCvar=0x555555d34a68 <sv_fps>, varName=0x7fffdcf12242 "sv_fps", defaultValue=0x7fffdcf12303 "20", flags=9) at code/qcommon/cvar.c:1347
1347 Cvar_Update( vmCvar );
1: sv_fps = (cvar_t *) 0xffffffff00000015

(gdb) n

Thread 1 "ioquake3" hit Hardware watchpoint 1: sv_fps

Old value = (cvar_t *) 0xffffffff00000015
New value = (cvar_t *) 0x100000015
Cvar_Update (vmCvar=0x555555d34a68 <sv_fps>) at code/qcommon/cvar.c:1375
1375 if ( strlen(cv->string)+1 > MAX_CVAR_VALUE_STRING )
1: sv_fps = (cvar_t *) 0x100000015

(gdb) c

Continuing.

Thread 1 "ioquake3" received signal SIGSEGV, Segmentation fault.
0x00005555555d23ce in SV_Frame (msec=11) at code/server/sv_main.c:1082
1082 if ( sv_fps->integer < 1 ) {
1: sv_fps = (cvar_t *) 0x100000015

Chad Miller (cmiller)
Changed in ioquake3 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.