[Scummvm-tracker] [ScummVM] #9880: TITANIC: Starship Titanic: Deskbot crash on return respond
Willem Jan Palenstijn
trac at scummvm.org
Tue Jul 11 00:14:21 CEST 2017
#9880: TITANIC: Starship Titanic: Deskbot crash on return respond
-------------------------------+-----------------------------
Reporter: dafioram | Owner: dreammaster
Type: defect | Status: new
Priority: high | Component: Engine: Titanic
Resolution: | Keywords:
Game: Starship Titanic |
-------------------------------+-----------------------------
Comment (by wjp):
The problem might be that `TTquotesTree::search` seems to expect its
`TTtreeResult *buffer` to be a buffer of multiple `TTtreeResult` objects.
(Since `search1` happily access `buffer + 1` and further by recursing.)
`DeskbotScript::searchQuotes()` calls it with only a single `TTtreeResult`
object.
Other functions seem to call it with a similar pattern.
Valgrind points at two more suspicious things here, although I suspect the
one above is the actual culprit: `CWaveFile::audioStream` tells the
`MemoryReadStream` to dispose of `_waveData` at end with `free`, even
though it is allocated with `new[]`. And `TTparser::filterConcepts`
accesses deleted data when doing `currP = currP->_nextP` after deleting
`currP` in `removeConcept(currP)`.
--
Ticket URL: <https://bugs.scummvm.org/ticket/9880#comment:5>
ScummVM <https://bugs.scummvm.org>
ScummVM
More information about the Scummvm-tracker
mailing list