[pkg-fgfs-crew] Bug#765855: libopenscenegraph100: use-after-free crash in Node::remove*Callback
Rebecca N. Palmer
rebecca_palmer at zoho.com
Fri Oct 24 10:18:39 UTC 2014
Control: reassign -1 libopenscenegraph100
Control: retitle -1 libopenscenegraph100: use-after-free crash in Node::remove*Callback
Control: tags -1 patch fixed-upstream
This crash is a use-after-free in openscenegraph Node::remove*Callback:
if the node holds the only reference to the callback (nc itself isn't a
ref_ptr so doesn't count), it will automatically be freed when removed,
and the following nc->setNestedCallback(0) is hence an out of bounds access.
The affected code was introduced between 3.2.0~rc1 and 3.2.1, which
explains why we hadn't seen this earlier.
This is fixed upstream by
https://github.com/openscenegraph/osg/commit/49d560f4d9d0641c98df67264b7ace4733c6b9a9;
I have checked that this fixes this bug. As the fix is in an inline
method, a rebuild of simgear is required to pick it up; given that we
don't know if any more of openscenegraph's reverse dependencies are
affected, I suggest binNMUing them all. (This isn't a now-forbidden
transition as the interface doesn't change: fixing openscenegraph
without rebuilding doesn't further break things, it just doesn't fix the
bug.)
-------------- next part --------------
==4597== Memcheck, a memory error detector
==4597== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4597== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4597== Command: fgfs --enable-terrasync
==4597== Parent PID: 4587
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x8E1810E: jsJoystick::open() (in /usr/lib/libplibjs.so.1.8.5)
==4597== by 0x79A2B9: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C298A0: operator new[](unsigned long) (vg_replace_malloc.c:389)
==4597== by 0x8E180C2: jsJoystick::open() (in /usr/lib/libplibjs.so.1.8.5)
==4597== by 0x79A2B9: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2C1B8: strlen (vg_replace_strmem.c:412)
==4597== by 0x79AA56: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Thread 2:
==4597== Syscall param write(buf) points to uninitialised byte(s)
==4597== at 0x55ABA7D: ??? (syscall-template.S:81)
==4597== by 0xA388205: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0xA3C47B7: std::basic_filebuf<char, std::char_traits<char> >::_M_convert_to_external(char*, long) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0xA3C4B8B: std::basic_filebuf<char, std::char_traits<char> >::overflow(int) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0xA3C2DAE: std::basic_filebuf<char, std::char_traits<char> >::sync() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0xA3A276D: std::ostream::flush() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0x5D623B9: LogStreamPrivate::run() (logstream.cxx:271)
==4597== by 0x5E2B629: SGThread::PrivateData::start_routine(void*) (SGThread.cxx:204)
==4597== by 0x55A50A3: start_thread (pthread_create.c:309)
==4597== by 0xAC13C2C: clone (clone.S:111)
==4597== Address 0xdf0e5e8 is 120 bytes inside a block of size 8,192 alloc'd
==4597== at 0x4C298A0: operator new[](unsigned long) (vg_replace_malloc.c:389)
==4597== by 0xA3C69C0: std::basic_filebuf<char, std::char_traits<char> >::open(char const*, std::_Ios_Openmode) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0x5D5F7D6: open (fstream:719)
==4597== by 0x5D5F7D6: basic_ofstream (fstream:648)
==4597== by 0x5D5F7D6: FileLogCallback (logstream.cxx:108)
==4597== by 0x5D5F7D6: logstream::logToFile(SGPath const&, sgDebugClass, sgDebugPriority) (logstream.cxx:429)
==4597== by 0x5F9747: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Thread 1:
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2C1B8: strlen (vg_replace_strmem.c:412)
==4597== by 0xA3CCBF0: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0x79ABE1: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2ED52: __memcmp_sse4_1 (vg_replace_strmem.c:972)
==4597== by 0x78CFC6: FGDeviceConfigurationMap::hasConfiguration(std::string const&) const (in /usr/games/fgfs)
==4597== by 0x79ABF4: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x78CFC9: FGDeviceConfigurationMap::hasConfiguration(std::string const&) const (in /usr/games/fgfs)
==4597== by 0x79ABF4: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x78D04C: FGDeviceConfigurationMap::hasConfiguration(std::string const&) const (in /usr/games/fgfs)
==4597== by 0x79ABF4: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2ED52: __memcmp_sse4_1 (vg_replace_strmem.c:972)
==4597== by 0x78D00B: FGDeviceConfigurationMap::hasConfiguration(std::string const&) const (in /usr/games/fgfs)
==4597== by 0x79ABF4: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2C1B8: strlen (vg_replace_strmem.c:412)
==4597== by 0xA3CCBF0: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.20)
==4597== by 0x79AC2E: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2ED52: __memcmp_sse4_1 (vg_replace_strmem.c:972)
==4597== by 0x77969B: std::_Rb_tree<std::string, std::pair<std::string const, SGPath>, std::_Select1st<std::pair<std::string const, SGPath> >, std::less<std::string>, std::allocator<std::pair<std::string const, SGPath> > >::find(std::string const&) (in /usr/games/fgfs)
==4597== by 0x78D257: FGDeviceConfigurationMap::configurationForDeviceName(std::string const&) (in /usr/games/fgfs)
==4597== by 0x79AC48: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x77969E: std::_Rb_tree<std::string, std::pair<std::string const, SGPath>, std::_Select1st<std::pair<std::string const, SGPath> >, std::less<std::string>, std::allocator<std::pair<std::string const, SGPath> > >::find(std::string const&) (in /usr/games/fgfs)
==4597== by 0x78D257: FGDeviceConfigurationMap::configurationForDeviceName(std::string const&) (in /usr/games/fgfs)
==4597== by 0x79AC48: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x779674: std::_Rb_tree<std::string, std::pair<std::string const, SGPath>, std::_Select1st<std::pair<std::string const, SGPath> >, std::less<std::string>, std::allocator<std::pair<std::string const, SGPath> > >::find(std::string const&) (in /usr/games/fgfs)
==4597== by 0x78D257: FGDeviceConfigurationMap::configurationForDeviceName(std::string const&) (in /usr/games/fgfs)
==4597== by 0x79AC48: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2ED52: __memcmp_sse4_1 (vg_replace_strmem.c:972)
==4597== by 0x7796DC: std::_Rb_tree<std::string, std::pair<std::string const, SGPath>, std::_Select1st<std::pair<std::string const, SGPath> >, std::less<std::string>, std::allocator<std::pair<std::string const, SGPath> > >::find(std::string const&) (in /usr/games/fgfs)
==4597== by 0x78D257: FGDeviceConfigurationMap::configurationForDeviceName(std::string const&) (in /usr/games/fgfs)
==4597== by 0x79AC48: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Conditional jump or move depends on uninitialised value(s)
==4597== at 0x4C2C1B8: strlen (vg_replace_strmem.c:412)
==4597== by 0x5DDA7FD: copy_string(char const*) (props.cxx:162)
==4597== by 0x5DE2F27: SGPropertyNode::set_string(char const*) (props.cxx:525)
==4597== by 0x5DDFA59: SGPropertyNode::setStringValue(char const*) (props.cxx:1603)
==4597== by 0x79ADA6: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== Uninitialised value was created by a heap allocation
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x79A2AC: FGJoystickInput::init() (in /usr/games/fgfs)
==4597== by 0x5E20249: SGSubsystem::incrementalInit() (subsystem_mgr.cxx:62)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E20D0C: SGSubsystemGroup::incrementalInit() (subsystem_mgr.cxx:180)
==4597== by 0x5E205DE: SGSubsystemMgr::incrementalInit() (subsystem_mgr.cxx:454)
==4597== by 0x5FB0C5: ??? (in /usr/games/fgfs)
==4597== by 0xB989BB: fgOSMainLoop() (in /usr/games/fgfs)
==4597== by 0x5F94ED: fgMainInit(int, char**) (in /usr/games/fgfs)
==4597== by 0x5A00FE: main (in /usr/games/fgfs)
==4597==
==4597== Invalid read of size 8
==4597== at 0x5A424AC: operator= (ref_ptr:51)
==4597== by 0x5A424AC: setNestedCallback (NodeCallback:51)
==4597== by 0x5A424AC: removeUpdateCallback (Node:207)
==4597== by 0x5A424AC: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x5A095A2: osg::MatrixTransform::accept(osg::NodeVisitor&) (MatrixTransform:37)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== Address 0x17e0c398 is 8 bytes inside a block of size 64 free'd
==4597== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==4597== by 0x5A424AB: removeUpdateCallback (Node:206)
==4597== by 0x5A424AB: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x5A095A2: osg::MatrixTransform::accept(osg::NodeVisitor&) (MatrixTransform:37)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== Block was alloc'd at
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x5936A63: simgear::EffectGeode::setEffect(simgear::Effect*) (EffectGeode.cxx:55)
==4597== by 0x5A2282C: SGTileGeometryBin::getSurfaceGeometry(SGMaterialLib*) const (obj.cxx:407)
==4597== by 0x5A1CEEE: SGLoadBTG(std::string const&, simgear::SGReaderWriterOptions const*) (obj.cxx:1215)
==4597== by 0x5A0D69F: SGReaderWriterBTG::readNode(std::string const&, osgDB::Options const*) const (SGReaderWriterBTG.cxx:66)
==4597== by 0x5A0DD05: loadUsingReaderWriter (ModelRegistry.hxx:114)
==4597== by 0x5A0DD05: simgear::ModelRegistryCallback<simgear::DefaultProcessPolicy, simgear::NoCachePolicy, simgear::NoOptimizePolicy, simgear::NoSubstitutePolicy, simgear::BuildGroupBVHPolicy>::readNode(std::string const&, osgDB::Options const*) (ModelRegistry.hxx:90)
==4597== by 0x5979EB1: simgear::ModelRegistry::readNode(std::string const&, osgDB::Options const*) (ModelRegistry.cxx:403)
==4597== by 0x666FA15: readNode (Registry:237)
==4597== by 0x666FA15: osgDB::readRefNodeFile(std::string const&, osgDB::Options const*) (ReadFile.cpp:287)
==4597== by 0x59FA78B: simgear::ReaderWriterSTG::_ModelBin::load(SGBucket const&, osgDB::Options const*) (ReaderWriterSTG.cxx:387)
==4597== by 0x59F5F2D: simgear::ReaderWriterSTG::readNode(std::string const&, osgDB::Options const*) const (ReaderWriterSTG.cxx:511)
==4597== by 0x59CA0D8: loadUsingReaderWriter (ModelRegistry.hxx:114)
==4597== by 0x59CA0D8: simgear::ModelRegistryCallback<simgear::DefaultProcessPolicy, simgear::NoCachePolicy, simgear::NoOptimizePolicy, simgear::NoSubstitutePolicy, simgear::BuildLeafBVHPolicy>::readNode(std::string const&, osgDB::Options const*) (ModelRegistry.hxx:90)
==4597== by 0x5979EB1: simgear::ModelRegistry::readNode(std::string const&, osgDB::Options const*) (ModelRegistry.cxx:403)
==4597==
==4597== Invalid read of size 8
==4597== at 0x5A424AC: operator= (ref_ptr:51)
==4597== by 0x5A424AC: setNestedCallback (NodeCallback:51)
==4597== by 0x5A424AC: removeUpdateCallback (Node:207)
==4597== by 0x5A424AC: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x5A095A2: osg::MatrixTransform::accept(osg::NodeVisitor&) (MatrixTransform:37)
==4597== Address 0x75671588 is 8 bytes inside a block of size 64 free'd
==4597== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==4597== by 0x5A424AB: removeUpdateCallback (Node:206)
==4597== by 0x5A424AB: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== Block was alloc'd at
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x5936A63: simgear::EffectGeode::setEffect(simgear::Effect*) (EffectGeode.cxx:55)
==4597== by 0x5A142BA: operator() (TreeBin.cxx:241)
==4597== by 0x5A142BA: addNode (QuadTreeBuilder.hxx:92)
==4597== by 0x5A142BA: operator() (QuadTreeBuilder.hxx:102)
==4597== by 0x5A142BA: for_each<__gnu_cxx::__normal_iterator<simgear::TreeBin::Tree*, std::vector<simgear::TreeBin::Tree> >, simgear::QuadTreeBuilder<osg::LOD*, simgear::TreeBin::Tree, simgear::(anonymous namespace)::MakeTreesLeaf, simgear::(anonymous namespace)::AddTreesLeafObject, simgear::(anonymous namespace)::GetTreeCoord>::AddNode> (stl_algo.h:3755)
==4597== by 0x5A142BA: buildQuadTree<__gnu_cxx::__normal_iterator<simgear::TreeBin::Tree*, std::vector<simgear::TreeBin::Tree> > > (QuadTreeBuilder.hxx:118)
==4597== by 0x5A142BA: simgear::createForest(std::list<simgear::TreeBin*, std::allocator<simgear::TreeBin*> >&, osg::Matrixd const&, simgear::SGReaderWriterOptions const*) (TreeBin.cxx:372)
==4597== by 0x5A25AD1: RandomObjectCallback::generateRandomTileObjects() (obj.cxx:1150)
==4597== by 0x5A27D1F: RandomObjectCallback::readNode(std::string const&, osgDB::Options const*) (obj.cxx:898)
==4597== by 0x663A64E: readNode (Registry:236)
==4597== by 0x663A64E: osgDB::DatabasePager::DatabaseThread::run() (DatabasePager.cpp:854)
==4597== by 0x7B99A27: OpenThreads::ThreadPrivateActions::StartThread(void*) (PThread.cpp:204)
==4597== by 0x55A50A3: start_thread (pthread_create.c:309)
==4597== by 0xAC13C2C: clone (clone.S:111)
==4597==
==4597== Invalid read of size 8
==4597== at 0x5A424AC: operator= (ref_ptr:51)
==4597== by 0x5A424AC: setNestedCallback (NodeCallback:51)
==4597== by 0x5A424AC: removeUpdateCallback (Node:207)
==4597== by 0x5A424AC: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== Address 0x5ead5388 is 8 bytes inside a block of size 64 free'd
==4597== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==4597== by 0x5A424AB: removeUpdateCallback (Node:206)
==4597== by 0x5A424AB: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== Block was alloc'd at
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x5936A63: simgear::EffectGeode::setEffect(simgear::Effect*) (EffectGeode.cxx:55)
==4597== by 0x5A2FB14: SGLightFactory::getSequenced(SGDirectionalLightBin const&) (pt_lights.cxx:494)
==4597== by 0x5A27533: RandomObjectCallback::generateLightingTileObjects() (obj.cxx:1001)
==4597== by 0x5A27D03: RandomObjectCallback::readNode(std::string const&, osgDB::Options const*) (obj.cxx:894)
==4597== by 0x663A64E: readNode (Registry:236)
==4597== by 0x663A64E: osgDB::DatabasePager::DatabaseThread::run() (DatabasePager.cpp:854)
==4597== by 0x7B99A27: OpenThreads::ThreadPrivateActions::StartThread(void*) (PThread.cpp:204)
==4597== by 0x55A50A3: start_thread (pthread_create.c:309)
==4597== by 0xAC13C2C: clone (clone.S:111)
==4597==
==4597== Invalid write of size 8
==4597== at 0x5A424B9: operator= (ref_ptr:53)
==4597== by 0x5A424B9: setNestedCallback (NodeCallback:51)
==4597== by 0x5A424B9: removeUpdateCallback (Node:207)
==4597== by 0x5A424B9: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== Address 0x67efda28 is 8 bytes inside a block of size 64 free'd
==4597== at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==4597== by 0x5A424AB: removeUpdateCallback (Node:206)
==4597== by 0x5A424AB: simgear::UpdateOnceCallback::operator()(osg::Node*, osg::NodeVisitor*) (UpdateOnceCallback.cxx:31)
==4597== by 0xBAB996: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== Block was alloc'd at
==4597== at 0x4C29180: operator new(unsigned long) (vg_replace_malloc.c:324)
==4597== by 0x5936A63: simgear::EffectGeode::setEffect(simgear::Effect*) (EffectGeode.cxx:55)
==4597== by 0x5A300C1: SGLightFactory::getHoldShort(SGDirectionalLightBin const&) (pt_lights.cxx:566)
==4597== by 0x5A275C3: RandomObjectCallback::generateLightingTileObjects() (obj.cxx:1009)
==4597== by 0x5A27D03: RandomObjectCallback::readNode(std::string const&, osgDB::Options const*) (obj.cxx:894)
==4597== by 0x663A64E: readNode (Registry:236)
==4597== by 0x663A64E: osgDB::DatabasePager::DatabaseThread::run() (DatabasePager.cpp:854)
==4597== by 0x7B99A27: OpenThreads::ThreadPrivateActions::StartThread(void*) (PThread.cpp:204)
==4597== by 0x55A50A3: start_thread (pthread_create.c:309)
==4597== by 0xAC13C2C: clone (clone.S:111)
==4597==
==4597== Invalid read of size 8
==4597== at 0xBAB98B: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== Address 0x5de69390 is 0 bytes inside a block of size 48 free'd
==4597== at 0x4C29E90: free (vg_replace_malloc.c:473)
==4597== by 0x5DC440F: freeDead (gc.c:21)
==4597== by 0x5DC440F: bottleneck (gc.c:115)
==4597== by 0x5DC4860: naGC_get (gc.c:218)
==4597== by 0x5DCAC3C: naNew (misc.c:70)
==4597== by 0x5DCACCD: naNewHash (misc.c:96)
==4597== by 0x5DBEE8F: setupFuncall (code.c:331)
==4597== by 0x5DBF856: run (code.c:717)
==4597== by 0x5DC1932: naCall (code.c:904)
==4597== by 0x5DC1BAD: naCallMethodCtx (code.c:975)
==4597== by 0x5DC1C6D: naCallMethod (code.c:986)
==4597== by 0x9B0DDE: FGNasalSys::call(naRef, int, naRef*, naRef) (in /usr/games/fgfs)
==4597== by 0x9B1987: FGNasalListener::call(SGPropertyNode*, naRef) (in /usr/games/fgfs)
==4597== Block was alloc'd at
==4597== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==4597== by 0x5DC4F99: resize (hash.c:112)
==4597== by 0x5DC50C9: naHash_set (hash.c:142)
==4597== by 0x5DBFB2C: run (code.c:639)
==4597== by 0x5DC1932: naCall (code.c:904)
==4597== by 0x5DC1BAD: naCallMethodCtx (code.c:975)
==4597== by 0x5DC1C6D: naCallMethod (code.c:986)
==4597== by 0x9B0DDE: FGNasalSys::call(naRef, int, naRef*, naRef) (in /usr/games/fgfs)
==4597== by 0x9B1987: FGNasalListener::call(SGPropertyNode*, naRef) (in /usr/games/fgfs)
==4597== by 0x9B1BCA: FGNasalListener::valueChanged(SGPropertyNode*) (in /usr/games/fgfs)
==4597== by 0x5DDB535: SGPropertyNode::fireValueChanged(SGPropertyNode*) (props.cxx:2240)
==4597== by 0x5DDF559: set_double (props.cxx:508)
==4597== by 0x5DDF559: SGPropertyNode::setDoubleValue(double) (props.cxx:1521)
==4597==
==4597== Invalid read of size 8
==4597== at 0xBAB994: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== Address 0x29 is not stack'd, malloc'd or (recently) free'd
==4597==
==4597==
==4597== Process terminating with default action of signal 11 (SIGSEGV)
==4597== Access not within mapped region at address 0x29
==4597== at 0xBAB994: osgUtil::UpdateVisitor::apply(osg::Geode&) (in /usr/games/fgfs)
==4597== by 0x59371FF: simgear::EffectGeode::accept(osg::NodeVisitor&) (EffectGeode.hxx:32)
==4597== by 0x7874F52: osg::Sequence::accept(osg::NodeVisitor&) (Sequence:34)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0xBAD8EC: SGUpdateVisitor::apply(osg::Transform&) (in /usr/games/fgfs)
==4597== by 0x599FF92: SGOffsetTransform::accept(osg::NodeVisitor&) (SGOffsetTransform.hxx:33)
==4597== by 0x783EF69: osg::LOD::traverse(osg::NodeVisitor&) (LOD.cpp:77)
==4597== by 0x783F612: osg::LOD::accept(osg::NodeVisitor&) (LOD:44)
==4597== by 0x780D372: osg::Group::traverse(osg::NodeVisitor&) (Group.cpp:62)
==4597== by 0x6B4190F: osg::Group::accept(osg::NodeVisitor&) (Group:38)
==4597== If you believe this happened as a result of a stack
==4597== overflow in your program's main thread (unlikely but
==4597== possible), you can try to increase the size of the
==4597== main thread stack using the --main-stacksize= flag.
==4597== The main thread stack size used in this run was 8388608.
==4597==
==4597== HEAP SUMMARY:
==4597== in use at exit: 1,271,028,600 bytes in 10,066,970 blocks
==4597== total heap usage: 54,169,112 allocs, 44,102,142 frees, 5,287,775,343 bytes allocated
==4597==
-------------- next part --------------
Description: Fix use-after-free in Node::remove*Callback
If the node holds the only reference to the callback (nc itself isn't
a ref_ptr so doesn't count), it will automatically be freed when
removed, and the following nc->setNestedCallback(0) is hence an
out of bounds access.
Origin: upstream https://github.com/openscenegraph/osg/commit/49d560f4d9d0641c98df67264b7ace4733c6b9a9
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765855
=====================================
--- a/OpenSceneGraph/include/osg/Node
+++ b/OpenSceneGraph/include/osg/Node
@@ -203,8 +203,9 @@ class OSG_EXPORT Node : public Object
if (nc != NULL && _updateCallback.valid()) {
if (_updateCallback == nc)
{
- setUpdateCallback(nc->getNestedCallback()); // replace the callback by the nested one
+ ref_ptr<NodeCallback> new_nested_callback = nc->getNestedCallback();
nc->setNestedCallback(0);
+ setUpdateCallback(new_nested_callback.get());
}
else _updateCallback->removeNestedCallback(nc);
}
@@ -237,8 +238,9 @@ class OSG_EXPORT Node : public Object
if (nc != NULL && _eventCallback.valid()) {
if (_eventCallback == nc)
{
- setEventCallback(nc->getNestedCallback()); // replace the callback by the nested one
+ ref_ptr<NodeCallback> new_nested_callback = nc->getNestedCallback();
nc->setNestedCallback(0);
+ setEventCallback(new_nested_callback.get()); // replace the callback by the nested one
}
else _eventCallback->removeNestedCallback(nc);
}
@@ -271,8 +273,9 @@ class OSG_EXPORT Node : public Object
if (nc != NULL && _cullCallback.valid()) {
if (_cullCallback == nc)
{
- setCullCallback(nc->getNestedCallback()); // replace the callback by the nested one
+ ref_ptr<NodeCallback> new_nested_callback = nc->getNestedCallback();
nc->setNestedCallback(0);
+ setCullCallback(new_nested_callback.get()); // replace the callback by the nested one
}
else _cullCallback->removeNestedCallback(nc);
}
More information about the pkg-fgfs-crew
mailing list