#434 ASan crash quest temp reward

#0 0x555555e21020 in Quest::GetQuestTemporaryState() ../WorldServer/../common/../WorldServer/Quests.h:316
#1 0x555555e21020 in Client::GetPendingQuestAcceptance(unsigned int) ../WorldServer/client.cpp:5811
#2 0x5555565bfa96 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:4101
#3 0x555555edd5f7 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1878
#4 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058
#5 0x55555635d856 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3303
#6 0x555556370047 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440
#7 0x555556382b0c in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:7005
#8 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#9 0x7ffff6f13132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

#0 0x7ffff767c6ef in operator delete[](void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:168
#1 0x555555eb5f64 in Client::MakeSpawnChangePacket(std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, unsigned int, unsigned int, unsigned int) ../WorldServer/client.cpp:10177
#2 0x555555eb9e9c in Client::SendSpawnChanges(std::set<Spawn*, std::less<Spawn*>, std::allocator<Spawn*> >&) ../WorldServer/client.cpp:10080
#3 0x5555562abb6c in ZoneServer::SendSpawnChanges() ../WorldServer/zoneserver.cpp:1964
#4 0x55555634304a in ZoneServer::SpawnProcess() ../WorldServer/zoneserver.cpp:1586
#5 0x555556344832 in SpawnLoop(void*) ../WorldServer/zoneserver.cpp:7029
#6 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

#0 0x7ffff767b787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
#1 0x555555eb52b0 in Client::MakeSpawnChangePacket(std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, unsigned int, unsigned int, unsigned int) ../WorldServer/client.cpp:10108
#2 0x555555eb9e9c in Client::SendSpawnChanges(std::set<Spawn*, std::less<Spawn*>, std::allocator<Spawn*> >&) ../WorldServer/client.cpp:10080
#3 0x5555562abb6c in ZoneServer::SendSpawnChanges() ../WorldServer/zoneserver.cpp:1964
#4 0x55555634304a in ZoneServer::SpawnProcess() ../WorldServer/zoneserver.cpp:1586
#5 0x555556344832 in SpawnLoop(void*) ../WorldServer/zoneserver.cpp:7029
#6 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

#0 0x7ffff75a6815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55555632de6c in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331
#2 0x555555c1ce1a in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:605
#3 0x555555e1d6f9 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421
#4 0x555556193c6f in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1789
#5 0x555555ecc774 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9877
#6 0x555555ed1cc8 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077
#7 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058
#8 0x555555ef6323 in ClientList::Process() ../WorldServer/client.cpp:3353
#9 0x55555646e845 in main ../WorldServer/net.cpp:458
#10 0x7ffff6e18082 in __libc_start_main ../csu/libc-start.c:308

#0 0x7ffff75a6815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55555632deac in ZoneServer::Init() ../WorldServer/zoneserver.cpp:333
#2 0x555555c1ce1a in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:605
#3 0x555555e1d6f9 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421
#4 0x555556193c6f in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1789
#5 0x555555ecc774 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9877
#6 0x555555ed1cc8 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077
#7 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058
#8 0x555555ef6323 in ClientList::Process() ../WorldServer/client.cpp:3353
#9 0x55555646e845 in main ../WorldServer/net.cpp:458
#10 0x7ffff6e18082 in __libc_start_main ../csu/libc-start.c:308

==2116970==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00139506a at pc 0x555555e21021 bp 0x7fffde2d2180 sp 0x7fffde2d2170 READ of size 1 at 0x61d00139506a thread T32 #0 0x555555e21020 in Quest::GetQuestTemporaryState() ../WorldServer/../common/../WorldServer/Quests.h:316 #1 0x555555e21020 in Client::GetPendingQuestAcceptance(unsigned int) ../WorldServer/client.cpp:5811 #2 0x5555565bfa96 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:4101 #3 0x555555edd5f7 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1878 #4 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058 #5 0x55555635d856 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3303 #6 0x555556370047 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440 #7 0x555556382b0c in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:7005 #8 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 #9 0x7ffff6f13132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) 0x61d00139506a is located 2026 bytes inside of 2164-byte region [0x61d001394880,0x61d0013950f4) freed by thread T33 here: #0 0x7ffff767c6ef in operator delete[](void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:168 #1 0x555555eb5f64 in Client::MakeSpawnChangePacket(std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, unsigned int, unsigned int, unsigned int) ../WorldServer/client.cpp:10177 #2 0x555555eb9e9c in Client::SendSpawnChanges(std::set<Spawn*, std::less<Spawn*>, std::allocator<Spawn*> >&) ../WorldServer/client.cpp:10080 #3 0x5555562abb6c in ZoneServer::SendSpawnChanges() ../WorldServer/zoneserver.cpp:1964 #4 0x55555634304a in ZoneServer::SpawnProcess() ../WorldServer/zoneserver.cpp:1586 #5 0x555556344832 in SpawnLoop(void*) ../WorldServer/zoneserver.cpp:7029 #6 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 previously allocated by thread T33 here: #0 0x7ffff767b787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107 #1 0x555555eb52b0 in Client::MakeSpawnChangePacket(std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, std::map<unsigned int, SpawnData, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, SpawnData> > >, unsigned int, unsigned int, unsigned int) ../WorldServer/client.cpp:10108 #2 0x555555eb9e9c in Client::SendSpawnChanges(std::set<Spawn*, std::less<Spawn*>, std::allocator<Spawn*> >&) ../WorldServer/client.cpp:10080 #3 0x5555562abb6c in ZoneServer::SendSpawnChanges() ../WorldServer/zoneserver.cpp:1964 #4 0x55555634304a in ZoneServer::SpawnProcess() ../WorldServer/zoneserver.cpp:1586 #5 0x555556344832 in SpawnLoop(void*) ../WorldServer/zoneserver.cpp:7029 #6 0x7ffff7535608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477 Thread T32 created by T0 here: #0 0x7ffff75a6815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x55555632de6c in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331 #2 0x555555c1ce1a in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:605 #3 0x555555e1d6f9 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421 #4 0x555556193c6f in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1789 #5 0x555555ecc774 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9877 #6 0x555555ed1cc8 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077 #7 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058 #8 0x555555ef6323 in ClientList::Process() ../WorldServer/client.cpp:3353 #9 0x55555646e845 in main ../WorldServer/net.cpp:458 #10 0x7ffff6e18082 in __libc_start_main ../csu/libc-start.c:308 Thread T33 created by T0 here: #0 0x7ffff75a6815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x55555632deac in ZoneServer::Init() ../WorldServer/zoneserver.cpp:333 #2 0x555555c1ce1a in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:605 #3 0x555555e1d6f9 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421 #4 0x555556193c6f in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1789 #5 0x555555ecc774 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9877 #6 0x555555ed1cc8 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077 #7 0x555555ef349a in Client::Process(bool) ../WorldServer/client.cpp:3058 #8 0x555555ef6323 in ClientList::Process() ../WorldServer/client.cpp:3353 #9 0x55555646e845 in main ../WorldServer/net.cpp:458 #10 0x7ffff6e18082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/../common/../WorldServer/Quests.h:316 in Quest::GetQuestTemporaryState() Shadow bytes around the buggy address: 0x0c3a8026a9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a8026a9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a8026a9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a8026a9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a8026a9f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3a8026aa00: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c3a8026aa10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c3a8026aa20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8026aa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8026aa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a8026aa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2116970==ABORTING