[Scummvm-tracker] [ScummVM] #9880: TITANIC: Starship Titanic: Deskbot crash on return respond

Willem Jan Palenstijn trac at scummvm.org
Tue Jul 11 00:14:21 CEST 2017


#9880: TITANIC: Starship Titanic: Deskbot crash on return respond
-------------------------------+-----------------------------
  Reporter:  dafioram          |      Owner:  dreammaster
      Type:  defect            |     Status:  new
  Priority:  high              |  Component:  Engine: Titanic
Resolution:                    |   Keywords:
      Game:  Starship Titanic  |
-------------------------------+-----------------------------

Comment (by wjp):

 The problem might be that `TTquotesTree::search` seems to expect its
 `TTtreeResult *buffer` to be a buffer of multiple `TTtreeResult` objects.
 (Since `search1` happily access `buffer + 1` and further by recursing.)

 `DeskbotScript::searchQuotes()` calls it with only a single `TTtreeResult`
 object.

 Other functions seem to call it with a similar pattern.



 Valgrind points at two more suspicious things here, although I suspect the
 one above is the actual culprit: `CWaveFile::audioStream` tells the
 `MemoryReadStream` to dispose of `_waveData` at end with `free`, even
 though it is allocated with `new[]`. And `TTparser::filterConcepts`
 accesses deleted data when doing `currP = currP->_nextP` after deleting
 `currP` in `removeConcept(currP)`.

--
Ticket URL: <https://bugs.scummvm.org/ticket/9880#comment:5>
ScummVM <https://bugs.scummvm.org>
ScummVM


More information about the Scummvm-tracker mailing list