Bug: Bug Thread: Discussion

[JimMorrison]

Quote:

Originally Posted by lch

Quote:

"Vanished" is not a useful error report. The game gives an error message when it crashes, you should copy and paste that to determine the kind of problem there is.

It's only not useful if it's not clarified in any way. But Dominions still has the "CTD during turn resolution" problem sometimes, and when that occurs, it just dumps you to desktop without any fanfare or explanation. It certainly sounds like that is what Loren is reporting (I think it was listed in the patch notes as fixed in 3.21, but I can confirm seeing it since then as well).

[Loren]

Quote:

Originally Posted by lch

Quote:

"Vanished" is not a useful error report. The game gives an error message when it crashes, you should copy and paste that to determine the kind of problem there is.

I mean vanished. No error message. One instant it's there, the next it's gone. I've never seen exactly what phase of the turn generation it's on when it happens.

This probably means a stack overflow.

[Loren]

Quote:

Originally Posted by JimMorrison

Quote:

It's only not useful if it's not clarified in any way. But Dominions still has the "CTD during turn resolution" problem sometimes, and when that occurs, it just dumps you to desktop without any fanfare or explanation. It certainly sounds like that is what Loren is reporting (I think it was listed in the patch notes as fixed in 3.21, but I can confirm seeing it since then as well).

This sounds exactly like what I'm seeing.

[vfb]

In-game messages like "I'm setting taxes to 0% so you go bankrupt" can cause the turn to crash when they are viewed.

The game formats messages that are displayed on the screen using one of the printf calls. It should pass ( ..., "%s", message ) for user-entered messages. But instead it passes ( ..., message ). So if 'message' contains printf formatting, it will expect additional arguments. And if the printf code is '%s' (spaces between the '%' and 's' don't matter), it will treat whatever happens to be on the stack as an address to read a string from. If this address is invalid, that can cause a crash.

[Soyweiser]

Quote:

Originally Posted by vfb

In-game messages like "I'm setting taxes to 0% so you go bankrupt" can cause the turn to crash when they are viewed.

The game formats messages that are displayed on the screen using one of the printf calls. It should pass ( ..., "%s", message ) for user-entered messages. But instead it passes ( ..., message ). So if 'message' contains printf formatting, it will expect additional arguments. And if the printf code is '%s' (spaces between the '%' and 's' don't matter), it will treat whatever happens to be on the stack as an address to read a string from. If this address is invalid, that can cause a crash.

This is a serious problem. This can cause much more than a simple crash. If someone makes a malicious message, it could take over your computer.

http://en.wikipedia.org/wiki/Format_string_attack

[MaxWilson]

Oh, wow. %n does not modify the output from printf but instead treats its arguments are a memory address and sets it to the number of characters printed so far. That raises the threat potential from printing out the contents of your Dom3 process to modifying memory, including the instruction pointer. http://julianor.tripod.com/bc/formatstring-1.2.pdf

It's interesting that vfb reports that this will cause crashes. Maybe Dom3 is compiled in a mode that does stricter checking of printf, and throws an exception if the wrong number of arguments is supplied. In that case it's not a security threat after all.

-Max

[vfb]

Quote:

Originally Posted by MaxWilson

Oh, wow. %n does not modify the output from printf but instead treats its arguments are a memory address and sets it to the number of characters printed so far. That raises the threat potential from printing out the contents of your Dom3 process to modifying memory, including the instruction pointer. http://julianor.tripod.com/bc/formatstring-1.2.pdf

It's interesting that vfb reports that this will cause crashes. Maybe Dom3 is compiled in a mode that does stricter checking of printf, and throws an exception if the wrong number of arguments is supplied. In that case it's not a security threat after all.

-Max

No, I just said %s will cause crashes. I did not think of %n, I was not aware of that actually.

The printf call used does check for a null argument to %s on the stack and prints "(null)" in that case, but it's going to seg fault (crash) if there's something on the stack like a random integer value.

It's impossible to do a compile-time check of the printf arg count when the format string itself is variable. And that's the problem here, the format string should be "%s" instead of the user-entered message.

It's also impossible for a library function like printf to know how many arguments it was actually passed. Whatever is on the stack is just there, and it will try to use it according to the format string.

[lch]

Black Laurel, Ivy Crown and Crown of the Ivy King do not provide an armor to the wearer, bug or WAD? I remember that a couple of crowns were missing their armor, and KO said something like "remind me of any other crowns like this".

[Tifone]

Should they provide armor? They're leaves after all

[Dectilon]

I don't know if this has been mentioned but:

If I use the random map generator once, quit that game and generate a new map I get the exact same map grahpics but with each province redefined (water provinces will often be land and vice versa).