compute_fov loads out-of-range int into TCOD_fov_algorithm_t enum (UBSan) #310

New issue

Closed

opened 2026-04-11 21:22:07 +00:00 by john · 0 comments

john commented 2026-04-11 21:22:07 +00:00

Owner

Copy link

Found by: fuzz_fov target (W8)

Summary

The Python binding for Grid.compute_fov passes a raw int algorithm argument straight through to GridData::computeFOV without validating it against the TCOD_fov_algorithm_t enum range. UBSan catches the invalid enum load:

runtime error: load of value 4294967247, which is not a valid value for type 'TCOD_fov_algorithm_t'

(4294967247 is -49 reinterpreted as unsigned.)

Reproduction

Crash input preserved at:

tests/fuzz/crashes/fov-crash-d5da064d802ae2b5691c520907cd692d04de8bb2

Root Cause

• Invalid enum cast happens at src/GridData.cpp:136
• The unchecked value originates at the binding layer src/UIGridPyMethods.cpp:112

Suggested Fix

Validate the int at the binding layer before converting to the enum. Reject (or clamp to a default) anything outside TCOD_BASIC..TCOD_SYMMETRIC_SHADOWCAST, raising a ValueError to Python for invalid input.

Related

Fail-early principle: validation belongs at the boundary between Python and the C++ engine, not deep in the TCOD call path.

**Found by:** `fuzz_fov` target (W8) ## Summary The Python binding for `Grid.compute_fov` passes a raw int `algorithm` argument straight through to `GridData::computeFOV` without validating it against the `TCOD_fov_algorithm_t` enum range. UBSan catches the invalid enum load: ``` runtime error: load of value 4294967247, which is not a valid value for type 'TCOD_fov_algorithm_t' ``` (`4294967247` is `-49` reinterpreted as unsigned.) ## Reproduction Crash input preserved at: ``` tests/fuzz/crashes/fov-crash-d5da064d802ae2b5691c520907cd692d04de8bb2 ``` ## Root Cause - Invalid enum cast happens at `src/GridData.cpp:136` - The unchecked value originates at the binding layer `src/UIGridPyMethods.cpp:112` ## Suggested Fix Validate the int at the binding layer before converting to the enum. Reject (or clamp to a default) anything outside `TCOD_BASIC`..`TCOD_SYMMETRIC_SHADOWCAST`, raising a `ValueError` to Python for invalid input. ## Related Fail-early principle: validation belongs at the boundary between Python and the C++ engine, not deep in the TCOD call path.

john added the

Bugfix

priority:tier1-active

system:python-binding

labels 2026-04-11 21:22:07 +00:00

john referenced this issue 2026-04-17 03:14:59 +00:00

[Major Feature] Coverage-guided fuzz harness for Python API (libFuzzer + ASan) #283

john referenced this issue from a commit 2026-04-18 00:05:58 +00:00

Route Grid.compute_fov algorithm through PyFOV::from_arg

john closed this issue 2026-04-18 00:05:58 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

threedee

emscripten-mcrogueface

rogueliketutorial25

alpha_presentable

alpha_streamline_2

alpha_streamline_1

interpreter_mode

grid_entity_integration

reprs_and_member_names

break_up_ui_h

standardize_font_handling

standardize_vector_handling

standardize_color_handling

standardize_texture_handling

raii_pyobjects

rebase-for-7DRL_Feb-2024

engjam_uicollection

engjam_ui_overhaul

0.2.3-prerelease-7drl2026-emscripten

Labels

Clear labels   

Alpha Release Requirement

This issue is a blocker to 0.1 Alpha release of McRogueFace.

  

Bugfix

  

Demo Target

Functionality to demonstrate; Depends on new features, but this issue isn't for writing them.

  

Documentation

  

Major Feature

Significant time and effort required.

  

Minor Feature

Some effort required to create or overhaul functionality.

  

priority:tier1-active

Current development focus - critical path to v1.0

  

priority:tier2-foundation

Important foundation work - not blocking v1.0

  

priority:tier3-future

Future features - deferred until after v1.0

  

priority:tier4-deferred

  

Refactoring & Cleanup

no new functionality, just improving the codebase.

  

system:animation

Animation and property interpolation

  

system:documentation

Documentation infrastructure

  

system:grid

Grid system and spatial containers

  

system:input

Input handling and events

  

system:performance

Performance optimization and profiling

  

system:procgen

Procedural Generation (Noise, BSP, Heightmap)

  

system:python-binding

Python/C++ binding layer

  

system:rendering

Rendering pipeline and visuals

  

system:ui-hierarchy

UI component hierarchy and composition

  

Tiny Feature

quick and easy - a few lines or with little interconnection around the codebase

  

workflow:blocked

Blocked by other work - waiting on dependencies

  

workflow:needs-benchmark

Needs performance testing and benchmarks

  

workflow:needs-documentation

Needs documentation before or after implementation

No labels

Alpha Release Requirement

Bugfix

Demo Target

Documentation

Major Feature

Minor Feature

priority:tier1-active

priority:tier2-foundation

priority:tier3-future

priority:tier4-deferred

Refactoring & Cleanup

system:animation

system:documentation

system:grid

system:input

system:performance

system:procgen

system:python-binding

system:rendering

system:ui-hierarchy

Tiny Feature

workflow:blocked

workflow:needs-benchmark

workflow:needs-documentation

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

john/McRogueFace#310

No description provided.