[Scummvm-tracker] [ScummVM] #9727: SCI: KQ4: Crash during intro

Colin Snover trac at scummvm.org
Thu Apr 13 04:16:37 CEST 2017 

#9727: SCI: KQ4: Crash during intro
-----------------------------+-------------------------
  Reporter:  Kurufinwe21     |      Owner:  (none)
      Type:  defect          |     Status:  new
  Priority:  normal          |  Component:  Engine: SCI
Resolution:                  |   Keywords:
      Game:  King's Quest 4  |
-----------------------------+-------------------------

Comment (by csnover):

 This is the relevant part of the call stack for this crash:

 {{{
 #4      0x0000000100490609 in Sci::MidiParser_SCI::midiFilterChannels(int)
 at scummvm/engines/sci/sound/midiparser_sci.cpp:249
 #5      0x000000010048ffef in
 Sci::MidiParser_SCI::loadMusic(Sci::SoundResource::Track*,
 Sci::MusicEntry*, int, Sci::SciVersion) at
 scummvm/engines/sci/sound/midiparser_sci.cpp:110
 #6      0x00000001004a3dcd in
 Sci::SciMusic::soundInitSnd(Sci::MusicEntry*) at
 scummvm/engines/sci/sound/music.cpp:414
 #7      0x00000001004b6344 in
 Sci::SoundCommandParser::initSoundResource(Sci::MusicEntry*) at
 scummvm/engines/sci/sound/soundcmd.cpp:117
 #8      0x00000001004b40c8 in
 Sci::SoundCommandParser::processInitSound(Sci::reg_t) at
 scummvm/engines/sci/sound/soundcmd.cpp:144
 #9      0x00000001004cc692 in Sci::SoundCommandParser::startNewSound(int)
 at scummvm/engines/sci/sound/soundcmd.cpp:873
 }}}

 The affected sound resource contains two MIDI Stop (0xFC) system commands,
 instead of just one (normally they only have one). When there is more data
 after the Stop command, as in sound 104, the filter loop continues to run.
 This causes an unconditional read of 2 bytes, where `curDelta` becomes
 0xFC (the second Stop command), and trying to read `curByte` now raises an
 access violation as it is an out-of-bounds read.

 I think the correct solution is to just break out of the filter loop when
 an 0xFC command is seen, but I want to double-check with someone else with
 more MIDI knowledge before doing that (since I don’t know for sure that
 such commands cannot validly show up in the middle of a sound resource).

--
Ticket URL: <https://bugs.scummvm.org/ticket/9727#comment:1>
ScummVM <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list