[ scummvm-Bugs-633082 ] class Sound: writing past array bounds

noreply at sourceforge.net noreply at sourceforge.net
Mon Nov 4 02:43:51 CET 2002


Bugs item #633082, was opened at 2002-11-04 02:43
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=418820&aid=633082&group_id=37116

Category: SFX/Talkie
Group: All Games
Status: Open
Resolution: None
Priority: 5
Submitted By: Martin Ottowitz (sir_kill_a_lot)
Assigned to: Nobody/Anonymous (nobody)
Summary: class Sound: writing past array bounds

Initial Comment:
ScummVM 0.2.7 CVS, Built on Oct 31 2002 07:14:27 
(sound.cpp rev. 1.48)

I've discovered this bug while playing DOTT (German 
Talkie, using monster.sou) on Win32. After the second 
sentence in the first cutscene in the future all sound 
effects were gone, only the music played on.
Instead of playing the sounds, the console 
said "WARNING: startTalkSound: did not find sound at 
offset xxxxxxxxx !!", I had to restart ScummVM to fix 
that.

I set a breackpoint in "Sound::startTalkSound" in 
scumm/sound.cpp and saw, that "_mouthSyncTimes" 
was written beyond its bounds.
"_mouthSyncTimes" has 52 elements but "num" was 
set to 55. So the line "_mouthSyncTimes[i] = 0xFFFF;" 
after the loop actually changed the var "offset_table" and 
caused the warnings.

This array should be resized (why was its size initially 
set to 52?) and perhaps the range checked or 
something like that...

I attached a savegame of the cutscene, but it works 
only for the german version (probably this bug doesn't 
occur in the english one, german sentences/words are 
mostly longer)

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=418820&aid=633082&group_id=37116




More information about the Scummvm-tracker mailing list