Random core crash

[FlorinMarian 122]

Hi, guys!

I've studied C++ last year at informatics but I can't say that it was love at first seen.

If anyone can see where's the nullptr which causes this, i'll be very glad to give thank him.

[New LWP 100559]
Core was generated by `./srv1-ch1-core1'.
Program terminated with signal SIGABRT, Aborted.
#0  thr_kill () at thr_kill.S:3
3       thr_kill.S: No such file or directory.
[Current thread is 1 (LWP 100121)]
(gdb) bt
#0  thr_kill () at thr_kill.S:3
#1  0x00e5239a in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
#2  0x00de2ad1 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
#3  0x00d7f4bf in report_failure (err=<optimized out>, thrown_exception=0xf2aa7dc0) at cxxrt_exception.cc:719
#4  0x00d7e232 in operator new (size=<optimized out>) at cxxrt_memory.cc:100
#5  0x008aecf9 in CHARACTER_MANAGER::CreateCharacter (this=0xffffd6a8, name=0x251f149d "Spirit al m\342niei comun", dwPID=0) at char_manager.cpp:91
#6  0x008afbdb in CHARACTER_MANAGER::SpawnMob (this=<optimized out>, dwVnum=1065, lMapIndex=660069, x=268363, y=732709, z=0, bSpawnMotion=<optimized out>, iRot=148, bShow=<optimized out>)
    at char_manager.cpp:441
#7  0x0088b8f7 in CHARACTER::Dead (this=0xf6d5ec80, pkKiller=<optimized out>, bImmediateDead=<optimized out>) at char_battle.cpp:1619
#8  0x008f60e3 in (anonymous namespace)::FKillSectree::operator() (this=<optimized out>, ent=0xf6d5ec80) at dungeon.cpp:979
#9  FCollectEntity::ForEach<(anonymous namespace)::FKillSectree> (this=<optimized out>, f=...) at ./sectree.h:73
#10 SECTREE_MAP::for_each<(anonymous namespace)::FKillSectree> (this=<optimized out>, rfunc=...) at ./sectree_manager.h:81
#11 CDungeon::KillAll (this=0x55268d00) at dungeon.cpp:1024
#12 0x0096f294 in quest::dungeon_kill_all (L=<optimized out>) at questlua_dungeon.cpp:1494
#13 0x00d12828 in luaD_precall (L=0xe2f77880, func=0xa8652d18) at ldo.c:260
#14 0x00d202c7 in luaV_execute (L=0xe2f77880) at lvm.c:627
#15 0x00d12f08 in resume (L=0xe2f77880, ud=0xffff9f5c) at ldo.c:344
#16 0x00d123f6 in luaD_rawrunprotected (L=0xe2f77880, f=0xd12e90 <resume>, ud=0xffff9f5c) at ldo.c:88
#17 0x00d12d45 in lua_resume (L=0xe2f77880, nargs=0) at ldo.c:371
#18 0x00969001 in quest::CQuestManager::RunState (this=0xfffface0, qs=...) at questlua.cpp:1012
#19 0x009952bf in quest::CQuestManager::ExecuteQuestScript (pc=..., quest_name=..., state=0,
    code=0x25067c00 "if pc . in_dungeon ( ) and pc . get_map_index ( ) >= 660000 and pc . get_map_index ( ) < 670000 then d . kill_all ( ) \nd . setqf2 ( \"deviltower_zone\" , \"9_done\" , 1 ) \nnotice_multiline ( gameforge [ g"..., code_size=434, pChatScripts=0x0, bUseCache=true) at questmanager.cpp:1791
#20 0x0099214f in quest::CQuestManager::ExecuteQuestScript (pc=..., quest_index=19, state=0,
    code=0x25067c00 "if pc . in_dungeon ( ) and pc . get_map_index ( ) >= 660000 and pc . get_map_index ( ) < 670000 then d . kill_all ( ) \nd . setqf2 ( \"deviltower_zone\" , \"9_done\" , 1 ) \nnotice_multiline ( gameforge [ g"..., code_size=434, pChatScripts=0x0, bUseCache=<optimized out>) at questmanager.cpp:1737
#21 0x0099b658 in quest::NPC::HandleEvent (this=0x2503d694, pc=..., EventIndex=1) at questnpc.cpp:524
#22 0x0099bc91 in quest::NPC::OnKill (this=0x2503d694, pc=...) at questnpc.cpp:321
#23 0x00992708 in quest::CQuestManager::Kill (this=0xfffface0, pc=750, npc=1093) at questmanager.cpp:526
#24 0x0088d22c in CHARACTER::Reward (this=0xf7b47980, bItemDrop=<optimized out>) at char_battle.cpp:879
#25 0x0088bec0 in CHARACTER::Dead (this=0xf7b47980, pkKiller=<optimized out>, bImmediateDead=<optimized out>) at char_battle.cpp:1634
#26 0x008907c5 in CHARACTER::Damage (this=0xf7b47980, pAttacker=0xf5f6a600, dam=3596, type=DAMAGE_TYPE_NORMAL) at char_battle.cpp:2394
#27 0x0085ba90 in battle_hit (pkAttacker=0xf5f6a600, pkVictim=0xf7b47980, iRetDam=@0xffffa45c: 2551) at battle.cpp:852
#28 0x0085b8cf in battle_melee_attack (ch=0xf5f6a600, victim=0xf7b47980) at battle.cpp:220
#29 0x0088a61e in CHARACTER::Attack (this=0xf5f6a600, pkVictim=0xf7b47980, bType=0 '\000') at char_battle.cpp:321
#30 0x00922d36 in CInputMain::Attack (this=<optimized out>, ch=0xf5f6a600, header=2 '\002', data=0xa5d92f00 "\002") at input_main.cpp:1998
#31 0x00926983 in CInputMain::Analyze (this=0xa77206f8, d=0xa7720680, bHeader=2 '\002', c_pData=0xa5d92f00 "\002") at input_main.cpp:4396
#32 0x00912850 in CInputProcessor::Process (this=0xa77206f8, lpDesc=0xa7720680, c_pvOrig=0xa5d92f00, iBytes=8, r_iBytesProceed=@0xffffa688: 0) at input.cpp:118
#33 0x008e9055 in DESC::ProcessInput (this=0xa7720680) at desc.cpp:306
#34 0x00a28194 in io_loop (fdw=0x21a27660) at main.cpp:1091
#35 0x00a27e79 in idle () at main.cpp:982
#36 0x00a26385 in main (argc=1, argv=0xffffdbf8) at main.cpp:609
(gdb)

Thank you!

 

EDIT: Every crash related to this fails at " LPCHARACTER ch = M2_NEW CHARACTER;" and each .core generated has ~ 3GB (maximum allowed for 32bits binary)

This makes sense to be vulnerable to a exploit which allocate memory until it crashes.

Edited October 11, 2021 by FlorinMarian