The command I used to find these crashing inputs in RnD was
Code: Select all
afl-fuzz -i input -o output ./rocksndiamonds -e 'dump level @@'
Code: Select all
ei->change_page
Code: Select all
ei->group
I compiled SDL2, SDL_image, SDL_mixer, and SDL_net myself because the SDL2 package in the openSUSE repos was older than the version that introduced SDL_OpenURL.
I tried to debug this issue before, but I kept encountering
Code: Select all
<optimized out>
I have attached the zip of the levels which crash RnD and the Valgrind output from running Valgrind 3.18.1 on rocksndiamonds like this:
Code: Select all
valgrind ./rocksndiamonds -e 'dump level crashes/id:000001,sig:11,src:000801+000501,time:100941896,execs:2536255,op:splice,rep:8'
Code: Select all
dump level
Environment:
openSUSE 15.4 in Windows Subsystem for Linux running in Windows 10
Rocks n Diamonds 4.3.2.2
AFL++ 4.01a
Valgrind 3.18.1
SDL 2.23.1
SDL_image 2.5.2
SDL_mixer 2.5.2
SDL_net 2.1.0
Here is a patch which seems to fix the crashes:
Code: Select all
diff --git a/src/files.c b/src/files.c
index 8889f810..5633786d 100644
--- a/src/files.c
+++ b/src/files.c
@@ -3356,6 +3356,8 @@ static int LoadLevel_CUSX(File *file, int chunk_size, struct LevelInfo *level)
while (!checkEndOfFile(file))
{
struct ElementChangeInfo *change = &ei->change_page[xx_current_change_page];
+ if (xx_current_change_page >= ei->num_change_pages)
+ break;
xx_change = *change; // copy change data into temporary buffer
@@ -3383,6 +3385,8 @@ static int LoadLevel_GRPX(File *file, int chunk_size, struct LevelInfo *level)
int real_chunk_size = 2;
struct ElementInfo *ei = &element_info[element];
struct ElementGroupInfo *group = ei->group;
+ if (!group)
+ return 0;
xx_ei = *ei; // copy element data into temporary buffer
xx_group = *group; // copy group data into temporary buffer
Originally reported here: GitHub issue #7
crashinglevels.zip
LoadLevel_CUSX-1d7ec871.txt
LoadLevel_GRPX-1d7ec871.txt