Executing StreamPeerGZIP.put_var function crashes Godot

[qarmin]

Godot version

4.2.beta.custom_build. 9144457

System information

Ubuntu 22.04 CI

Issue description

When executing

extends Node
func _process(delta):
	var temp_variable22439 = SplitContainer.new()
	add_child(temp_variable22439)
	temp_variable22439._edit_set_state({"roman" : 22, 22 : 25, BoxShape3D.new() : BoxShape3D.new()})
	temp_variable22439.set_physics_process_priority(18)
	temp_variable22439.get_physics_process_priority()
	temp_variable22439.add_theme_font_override(StringName(""), SystemFont.new())
	temp_variable22439.get_anchor(68)
	temp_variable22439.queue_free()
	var temp_variable22450 = StreamPeerGZIP.new()
	temp_variable22450.put_8(99)
	temp_variable22450.put_var(FontFile.new(), true)

Godot crashes:

Godot Engine v4.2.beta.custom_build.914445748 - https://godotengine.org
Vulkan API 1.2.0 - Forward Mobile - Using Vulkan Device #0: Unknown - SwiftShader Device (LLVM 10.0.0)
WARNING: The Multi-Threaded rendering thread model is experimental, and has known issues which can lead to project crashes. Use the Single-Safe option in the project settings instead.
     at: setup2 (main/main.cpp:2400)
drivers/vulkan/rendering_device_vulkan.cpp:4880:63: runtime error: reference binding to misaligned address 0x61900013799c for type 'const struct RenderingDeviceVulkanShaderBinaryData', which requires 8 byte alignment
ERROR: Condition "(p_state.size() <= 0) || !p_state.has("rotation") || !p_state.has("scale") || !p_state.has("pivot") || !p_state.has("anchors") || !p_state.has("offsets") || !p_state.has("layout_mode") || !p_state.has("anchors_layout_preset")" is true.
   at: _edit_set_state (scene/gui/control.cpp:86)
ERROR: Index int(p_side) = 68 is out of bounds (4 = 4).
   at: get_anchor (scene/gui/control.cpp:758)
ERROR: Parameter "ctx" is null.
   at: put_partial_data (core/io/stream_peer_gzip.cpp:135)
ERROR: Parameter "ctx" is null.
   at: put_partial_data (core/io/stream_peer_gzip.cpp:135)
core/io/marshalls.cpp:1624:11: runtime error: null pointer passed as argument 2, which is declared to never be null
=================================================================
==23061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619001a79c90 at pc 0x7f5e4603a2c3 bp 0x7ffc72f21440 sp 0x7ffc72f20be8
WRITE of size 31 at 0x619001a79c90 thread T0
    #0 0x7f5e4603a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x55d2ff406a2d in _encode_string core/io/marshalls.cpp:1104
    #2 0x55d2ff40cafa in encode_variant(Variant const&, unsigned char*, int&, bool, int) core/io/marshalls.cpp:1520
    #3 0x55d2ff63b28b in StreamPeer::put_var(Variant const&, bool) core/io/stream_peer.cpp:221
    #4 0x55d2ff196931 in void call_with_variant_args_helper<__UnexistingClass, Variant const&, bool, 0ul, 1ul>(__UnexistingClass*, void (__UnexistingClass::*)(Variant const&, bool), Variant const**, Callable::CallError&, IndexSequence<0ul, 1ul>) core/variant/binder_common.h:303
    #5 0x55d2ff18c111 in void call_with_variant_args_dv<__UnexistingClass, Variant const&, bool>(__UnexistingClass*, void (__UnexistingClass::*)(Variant const&, bool), Variant const**, int, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:450
    #6 0x55d2ff18320e in MethodBindT<Variant const&, bool>::call(Object*, Variant const**, int, Callable::CallError&) const core/object/method_bind.h:335
    #7 0x55d3006c3858 in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:774
    #8 0x55d2ffa739aa in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1168
    #9 0x55d2e73ed88b in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1704
    #10 0x55d2e6ce74e2 in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1896
    #11 0x55d2f44961ec in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:318
    #12 0x55d2f43d4798 in Node::_notification(int) scene/main/node.cpp:57
    #13 0x55d2e67f84c3 in Node::_notificationv(int, bool) scene/main/node.h:49
    #14 0x55d3006c53e2 in Object::notification(int, bool) core/object/object.cpp:836
    #15 0x55d2f4594438 in SceneTree::_process_group(SceneTree::ProcessGroup*, bool) scene/main/scene_tree.cpp:951
    #16 0x55d2f45976dc in SceneTree::_process(bool) scene/main/scene_tree.cpp:1028
    #17 0x55d2f45857d2 in SceneTree::process(double) scene/main/scene_tree.cpp:508
    #18 0x55d2e5e36003 in Main::iteration() main/main.cpp:3613
    #19 0x55d2e5b50be5 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:933
    #20 0x55d2e5b2f117 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #21 0x7f5e45429d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #22 0x7f5e45429e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #23 0x55d2e5b2eac4 in _start (/home/runner/work/Qarminer/Qarminer/godot.linuxbsd.editor.dev.x86_64.san+0x3a201ac4)
0x619001a79c90 is located 0 bytes to the right of 1040-byte region [0x619001a79880,0x619001a79c90)
allocated by thread T0 here:
    #0 0x7f5e460b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55d2fed6ec67 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x55d2e5cd5364 in Error CowData<unsigned char>::resize<false>(int) core/templates/cowdata.h:291
    #3 0x55d2e5cb2507 in Vector<unsigned char>::resize(int) core/templates/vector.h:94
    #4 0x55d2ff63b0fd in StreamPeer::put_var(Variant const&, bool) core/io/stream_peer.cpp:219
    #5 0x55d2ff196931 in void call_with_variant_args_helper<__UnexistingClass, Variant const&, bool, 0ul, 1ul>(__UnexistingClass*, void (__UnexistingClass::*)(Variant const&, bool), Variant const**, Callable::CallError&, IndexSequence<0ul, 1ul>) core/variant/binder_common.h:303
    #6 0x55d2ff18c111 in void call_with_variant_args_dv<__UnexistingClass, Variant const&, bool>(__UnexistingClass*, void (__UnexistingClass::*)(Variant const&, bool), Variant const**, int, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:450
    #7 0x55d2ff18320e in MethodBindT<Variant const&, bool>::call(Object*, Variant const**, int, Callable::CallError&) const core/object/method_bind.h:335
    #8 0x55d3006c3858 in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:774
    #9 0x55d2ffa739aa in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1168
    #10 0x55d2e73ed88b in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1704
    #11 0x55d2e6ce74e2 in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1896
    #12 0x55d2f44961ec in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:318
    #13 0x55d2f43d4798 in Node::_notification(int) scene/main/node.cpp:57
    #14 0x55d2e67f84c3 in Node::_notificationv(int, bool) scene/main/node.h:49
    #15 0x55d3006c53e2 in Object::notification(int, bool) core/object/object.cpp:836
    #16 0x55d2f4594438 in SceneTree::_process_group(SceneTree::ProcessGroup*, bool) scene/main/scene_tree.cpp:951
    #17 0x55d2f45976dc in SceneTree::_process(bool) scene/main/scene_tree.cpp:1028
    #18 0x55d2f45857d2 in SceneTree::process(double) scene/main/scene_tree.cpp:508
    #19 0x55d2e5e36003 in Main::iteration() main/main.cpp:3613
    #20 0x55d2e5b50be5 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:933
    #21 0x55d2e5b2f117 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #22 0x7f5e45429d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c3280347340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280347350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280347360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280347370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280347380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280347390: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32803473a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32803473b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32803473c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32803473d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32803473e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23061==ABORTING

Command:

./reproducer" "godot.linuxbsd.editor.dev.x86_64.san" "60_50" "." "--audio-driver" "Dummy

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Memory leaks or asan backtraces are visible when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

Above

[AThousandShips]

Think I've identified the issue here, will take a look

[timothyqiu]

StreamPeerGZIP.put_var() calls encode_variant() twice: first to determine the required buffer size, then encode the variant inside the allocated buffer.

For a FontFile, its property list changes when encoding, making the allocated buffer insufficient, thus heap-buffer-overflow.

In the first pass, the last part of its property list is:

cache/0/variation_coordinates
cache/0/face_index
cache/0/embolden
cache/0/transform
cache/0/spacing_top
cache/0/spacing_bottom
cache/0/spacing_space
cache/0/spacing_glyph

In the second pass, the last part of its property list is:

cache/0/variation_coordinates
cache/0/face_index
cache/0/embolden
cache/0/transform
cache/0/spacing_top
cache/0/spacing_bottom
cache/0/spacing_space
cache/0/spacing_glyph
cache/0/16/0/ascent
cache/0/16/0/descent
cache/0/16/0/underline_position
cache/0/16/0/underline_thickness
cache/0/16/0/scale
cache/0/16/0/kerning_overrides/16/0

This is because accessing properties like font_name and font_style adds a cache entry for size 16:

godot/modules/text_server_adv/text_server_adv.cpp

Lines 2036 to 2044 in 5dc10b5

	String TextServerAdvanced::_font_get_name(const RID &p_font_rid) const {
	FontAdvanced *fd = _get_font_data(p_font_rid);
	ERR_FAIL_NULL_V(fd, String());
	MutexLock lock(fd->mutex);
	Vector2i size = _get_size(fd, 16);
	ERR_FAIL_COND_V(!_ensure_cache_for_size(fd, size), String());
	return fd->font_name;
	}

CC @bruvzg