Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[rlgl] Undefined behavior in rlLoadTexture when computing applying a zero offset to a null pointer #3246

Closed
4 tasks done
ashn-dot-dev opened this issue Aug 16, 2023 · 7 comments

Comments

@ashn-dot-dev
Copy link
Contributor

ashn-dot-dev commented Aug 16, 2023

Please, before submitting a new issue verify and check:

  • I tested it on latest raylib version from master branch
  • I checked there is no similar issue already reported
  • I checked the documentation on the wiki
  • My code has no errors or misuse of raylib
    • Can be replicated using an in-tree example program.

Issue description

The function rlLoadTexture contains the call glTexImage2D(GL_TEXTURE_2D, i, glInternalFormat, mipWidth, mipHeight, 0, glFormat, glType, (unsigned char *)data + mipOffset) here. When data is NULL, the expression (unsigned char *)data + mipOffset will resolve to NULL + 0 in the first iteration of the mipmap load loop.

Environment

Discovered on commit a86c93e using a PLATFORM_DESKTOP build for Linux via Windows Subsystem for Linux with CUSTOM_CFLAGS='-fsanitize=address,undefined'.

OpenGL information:

INFO: GL: OpenGL device information:
INFO:     > Vendor:   Microsoft Corporation
INFO:     > Renderer: D3D12 (NVIDIA GeForce RTX 3070 Ti)
INFO:     > Version:  4.2 (Core Profile) Mesa 23.0.4-0ubuntu1~22.04.1
INFO:     > GLSL:     4.20

Issue Screenshot

N/A

Code Example

The UBSan error will trigger on the in-tree example examples/shapes/shapes_top_down_lights.c on commit a86c93e without modification.

$ (cd /path/to/raylib/src/ && make clean all CC=clang CUSTOM_CFLAGS='-fsanitize=address,undefined' && sudo make install)
$ (cd /path/to/raylib/examples/ && make clean shapes/shapes_top_down_lights)
$ /path/to/raylib/examples/shapes/shapes_top_down_lights 2>&1 | grep 'runtime error'
rlgl.h:3014:175: runtime error: applying zero offset to null pointer
@ashn-dot-dev
Copy link
Contributor Author

Note that the call to glCompressedTexImage2D just below the offending line here performs the same calculation.

@raysan5
Copy link
Owner

raysan5 commented Aug 17, 2023

@ashn-dot-dev In raylib is up to the user to validate the provided data, in many functions there is no data validation. Due to the undefined-behaviour nature of this case, I just send a small review with a security check.

@ashn-dot-dev
Copy link
Contributor Author

@raysan5 Thanks for the review.

Looking into this bug a bit more this morning, I was able to reproduce the UB via UBSan with the minimal example provided below:

#include <raylib.h>

int main(void)
{
    InitWindow(800, 600, "test");

    RenderTexture texture = LoadRenderTexture(GetScreenWidth(), GetScreenHeight());
    UnloadRenderTexture(texture);

    CloseWindow();
    return 0;
}

So RE your comment about data validation:

In raylib is up to the user to validate the provided data, in many functions there is no data validation.

I think this might have been a specific case where additional user validation would not have helped. This information is not particularly relevant now that there is the fix provided by e4dcbd5, but I thought it was worth noting for anyone looking at this issue in the future.

@Not-Nik
Copy link
Contributor

Not-Nik commented Aug 19, 2023

This is a regression and breaks LoadRenderTexture because it calls the function with NULL

@raysan5
Copy link
Owner

raysan5 commented Aug 19, 2023

@Not-Nik Good catch, reverting this change.

raysan5 added a commit that referenced this issue Aug 19, 2023
This reverts commit e4dcbd5.
@Not-Nik
Copy link
Contributor

Not-Nik commented Aug 19, 2023

The correct way to fix this would be to check if the pointer is NULL and then don't do any arithmetic on it/mip-mapping for that texture.

If that's too ugly you can avoid undefined behaviour by first casting the data pointer to an integer (uintptr_t), then adding the offset and casting it back. This is well-defined on the raylib side, because we're not accessing the resulting pointer, but may cause undefined behaviour on the OpenGL side, because such integer additions aren't guaranteed to end up pointing to an element in the array. However this is a risk we run either way, in case the pixel data isn't actually encoded as a unsigned char array. Even an array of Color's might not work when the compiler adds padding to the struct.

I, personally, prefer the latter option.

@raysan5
Copy link
Owner

raysan5 commented Aug 20, 2023

@Not-Nik Afaik, this issue has never transalated into a real problem, so I prefer to keep as it is for now. Maybe adding a comment explaining that could be enough, just in case someone really finds this problem in a future.

raysan5 added a commit that referenced this issue Sep 17, 2023
* Prettified a comment

* fixed broken indentation caused by another commit.
the commit renamed a bool to int and broke indentation: 233cf39

* Changed 0.001 and 0.00001 to EPSILON
This commit is untested.
I don't know what consequences this has.
Since the commits that added these numbers were before epsilon was added,
I have assumed that epsilon could replace them.

* Prettied up indentation in a few places

* removed spacing around *, standardizing it.

* I may have gotten overboard with indentation

* removed a few useless parenthesis

* Added fortran-raylib

* Fix examples/others/rlgl_standalone.c compilation issue (#3242)

* Update BINDINGS.md

* Ignore unused return value of GetCodepointNext in GetCodepointCount (#3241)

* Ignore unused return value of GetCodepointNext in GetCodepointCount

Removes the last warning from non-external libraries when compiling with
the default build configuration on x64 Linux.

* Remove unnecessary void cast in GetCodepointCount

* Fix #3246

* Revert "Fix #3246"

This reverts commit e4dcbd5.

* Fix text_unicode.c example crashing (#3250)

* Fix text_unicode.c example crashing

* Adjust the text_unicode.c example crashing fix

* tweaks

* add build.zig options for individual modules (#3254)

* Add `IsKeyPressedRepeat` (desktop only) (#3245)

Since the key pressed are handle by comparing current vs previous
state (ie frame), a special way is needed to handle key repeats.

* Reviewed `IsKeyPressedRepeat()` #3248

* Update rcore.c (#3255)

* Match CMakeOptions.txt options default values (#3258)

* Fix SetClipboardText for web (#3257)

* [Image] Validate that ImageDrawRectangleRec is drawing entirely inside the image (#3264)

* Add a function to clone a sound and share data with another sound.

* rename items based on feedback

* PR Feedback, use custom unload for sound alias, not variant of normal sound unloading

* sound_multi example

* Validate that image rect drawing is inside the image so we don't overflow a buffer

* remove files that should not have been added.

* remove changes that should not have been

* revert

* adsfasdfsdfsdf

* Add Vector3 Projecting and Rejection to Raymath (#3263)

* Update raymath.h

* formatting

* [Feature] IsKey... safety checks and more (#3256)

* [Feature] Add GetKeyRepeat

* Update rcore.c

* Simpler design, only one repeat per frame

* Update config.h

* Update rcore.c

* Add KEYBOARD_KEYS_MASK

* Update config.h

* reversions

* Update rcore.c

* Update rcore.c

* change docs

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update raylib.h

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Update rcore.c

* Fix bug where default shaders was not linking. (#3261)

* Formating review

* Add missing cmake options (#3267)

* Fix CMake extraneous -lglfw (#3266)

Closes #3265.

The problem: LIBS_PRIVATE is a list of library names (used by pkg-config), but the shared library of the same name doesn't always exist.

* Fix example/models/models_loading_gltf.c controls (#3268)

* Fix example/models/models_loading_m3d.c controls (#3269)

* Remove e from secondes (#3270)

* Fix example/audio/audio_module_player.c help instructions and small bug (#3272)

* Fix example/audio/audio_module_player.c help instructions and small bug

* Update example/audio/audio_module_player.png screenshot

* Use type name instead of valid specifier

long long --> long long int

* REVIEWED: `GetFileLength()`, added comment #3262

* Update examples/models/models_loading_gltf.png;m3d.png screenshots (#3273)

* Remove a duplicated screenshot and add missing one (#3275)

* Add examples/shaders/shaders_lightmap.c to Makefiles (#3276)

* Fix examples/others/easings_testbed.c help instructions and small tweak (#3277)

* Fix examples/shaders/shaders_texture_outline.c help instructions (#3278)

* Fix examples/shapes/shapes_collision_area.c help instructions (#3279)

* RENAMED: LoadFont*() parameter names for consistency and coherence

* Fix uninitialized thread-locals in stbi #3282 (#3283)

* REVIEWED: Added `SetTextLineSpacing()` to multiline examples

* REVIEWED: Data size type consistency between functions #3168

* Some tweaks

* Use internal default allocators, instead of user-exposed ones

* Added rudimentary SVG support. (#2738)

* Added rudimentary SVG support. Added 2 functions ImageLoadSvg and ImageLoadSvgWithSize.

* Added an example on how to use ImageLoadSvgWithSize and adjusted Makefiles accordingly.

* Added actual correct example file.

* Reviewed the code to keep the raylib coding conventions in mind.
Moved the LoadImageSvg() code into LoadImage() guarded by SUPPORT_FILEFORMAT_SVG.
Renamed LoadImageSvgWithSize() to LoadImageSvg().
Added a LoadImageSvgFromString() function to parse the loaded SVG into an actual image. This does the bulk of the work.

* Fixed typo.

---------

Co-authored-by: Ray <raysan5@gmail.com>

* REVIEWED: `LoadImageSvg()`

* REVIEWED: `LoadImageSvg()`

* Add SUPPORT_FILEFORMAT_SVG to cmake (#3284)

* Fix examples/textures/textures_fog_of_war.c help instructions (#3285)

* Fix examples/textures/textures_image_rotate.c help instructions (#3286)

* Update rtextures.c

* Fix #3247

* Update config.h

* Fix #3293

* Disable UBSAN in zig builds. (#3292)

Zig debug builds automatically enable ubsan.
As the fix for #1891 had to be reverted, debug builds using zig will crash like so:

```
Illegal instruction at address 0x3237d2
raylib/src/rlgl.h:3690:91: 0x3237d2 in rlDrawVertexArrayElements (/home/rcorre/src/raylib-zig-template/raylib/src/rcore.c)
    glDrawElements(GL_TRIANGLES, count, GL_UNSIGNED_SHORT, (const unsigned short *)buffer + offset);
```

This disables UBSAN when using zig to build raylib.

* Update README.md (#3290)

specially -> especially

* Update cmake SUPPORT_FILEFORMAT_SVG default value (#3291)

* Mouse offset and scaling must be considered also on web!

* Update rcore.c

* Update Makefile : clean raygui.c & physac.c (#3296)

* Remove PLATFORM_RPI (#3232)

* Remove PLATFORM_RPI

* remove build artifacts

---------

Co-authored-by: MichaelFiber <michael@cubeofb.org>
Co-authored-by: Ray <raysan5@gmail.com>

* Review to avoid UBSAN complaining #1891

* added raylib-raku to bindings (#3299)

* examples: core: adds 2D camera two player split screen (#3298)

* Reviewed examples for consistency

* Update rtext.c

* Some code restructuring for input functions, consistency review

* Remove unneeded #if (#3301)

Co-authored-by: MichaelFiber <michael@cubeofb.org>

* Revert "Disable UBSAN in zig builds. (#3292)" (#3303)

This reverts commit a316f9e.

Issue #1891 was fixed again, so this is no longer needed.

* rtextures: Fix ImageDraw() source clipping when drawing beyond top left (#3306)

* REVIEWED: `TextToPascal()` issue when first char is uppercase

* Implement FLAG_WINDOW_RESIZABLE for web (#3305)

Fixes #3231

* Update BINDINGS.md (#3307)

Fix Kaylib binding. Reroute to a new repository.
Binding renamed.

* Update webassembly.yml

* Add claw-raylib to BINDINGS.md (#3310)

* Add SetWindowMaxSize for desktop and web (#3309)

* Add SetWindowMaxSize for desktop and web

* Remove SizeInt and respective adjustments

* Update rtextures.c

* Reviewed parameters for consistency

* Rename windowM* to screenM* (#3312)

* Update BINDINGS.md (#3317)

Update TurboRaylib bindings

* Update rmodels.c

* Update BINDINGS.md with vaiorabbit/raylib-bindings (#3318)

* fixed spelling mistake

* put back parenthesis

* reverted major allignment changes

* reverted parser output changes

* reverted one more indentation change

---------

Co-authored-by: Brian-E <brian@intra.fo>
Co-authored-by: Ray <raysan5@gmail.com>
Co-authored-by: ubkp <118854183+ubkp@users.noreply.github.com>
Co-authored-by: ashn <60763262+ashn-dot-dev@users.noreply.github.com>
Co-authored-by: actondev (Christos) <chris.actondev@gmail.com>
Co-authored-by: vitopigno <103512727+VitusVeit@users.noreply.github.com>
Co-authored-by: Asdqwe <asdqwe@asdqwe.com>
Co-authored-by: Jeffery Myers <jeffm2501@gmail.com>
Co-authored-by: Ethan Simpson <ethansimpson@xtra.co.nz>
Co-authored-by: Nickolas McDonald <43690021+n77y@users.noreply.github.com>
Co-authored-by: Branimir Ričko <rickobranimir@gmail.com>
Co-authored-by: iacore <74560659+iacore@users.noreply.github.com>
Co-authored-by: Ethan Conneely <Econn50@outlook.com>
Co-authored-by: Johannes Barthelmes <615914+jbarthelmes@users.noreply.github.com>
Co-authored-by: bXi <bluepunk@gmail.com>
Co-authored-by: Ryan Roden-Corrent <ryan@rcorre.net>
Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com>
Co-authored-by: SuperUserNameMan <yoann@terminajones.com>
Co-authored-by: MichaelFiber <42419558+michaelfiber@users.noreply.github.com>
Co-authored-by: MichaelFiber <michael@cubeofb.org>
Co-authored-by: Dan Vu <danvu.hustle@gmail.com>
Co-authored-by: Gabriel dos Santos Sanches <gabrielssanches@gmail.com>
Co-authored-by: Rob Loach <robloach@gmail.com>
Co-authored-by: Peter0x44 <peter0x44@disroot.org>
Co-authored-by: Kenta <106167071+Its-Kenta@users.noreply.github.com>
Co-authored-by: bohonghuang <1281299809@qq.com>
Co-authored-by: turborium <45082001+turborium@users.noreply.github.com>
Co-authored-by: Wilson Silva <wilson.dsigns@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants