[Scummvm-git-logs] scummvm master -> 6a27390ffb691b5a34f00908492d25487f6e7194

dreammaster noreply at scummvm.org
Tue Nov 19 05:48:39 UTC 2024 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
6a27390ffb M4: RIDDLE: Workaround for use-after-free of anim8 in room 410


Commit: 6a27390ffb691b5a34f00908492d25487f6e7194
    https://github.com/scummvm/scummvm/commit/6a27390ffb691b5a34f00908492d25487f6e7194
Author: Paul Gilbert (dreammaster at scummvm.org)
Date: 2024-11-18T21:48:33-08:00

Commit Message:
M4: RIDDLE: Workaround for use-after-free of anim8 in room 410

Changed paths:
    engines/m4/riddle/rooms/section4/room410.cpp
    engines/m4/wscript/ws_cruncher.cpp
    engines/m4/wscript/ws_cruncher.h


diff --git a/engines/m4/riddle/rooms/section4/room410.cpp b/engines/m4/riddle/rooms/section4/room410.cpp
index 57a77bc2404..f2f9e16ca87 100644
--- a/engines/m4/riddle/rooms/section4/room410.cpp
+++ b/engines/m4/riddle/rooms/section4/room410.cpp
@@ -108,6 +108,12 @@ void Room410::daemon() {
 		terminateMachineAndNull(_pu);
 		_pu = series_stream("410PU02", 7, 0x100, -1);
 		series_stream_break_on_frame(_pu, 8, 125);
+
+		// WORKAROUND: Way back up in the stack, the original _pu's anim
+		// is what called daemon. So we need to flag for it to bail out,
+		// so it doesn't try to use freed memory
+		_GWS(keepProcessing) = false;
+		_GWS(bailOut) = true;
 		break;
 
 	case 125:
diff --git a/engines/m4/wscript/ws_cruncher.cpp b/engines/m4/wscript/ws_cruncher.cpp
index a4f08855067..342303d21ea 100644
--- a/engines/m4/wscript/ws_cruncher.cpp
+++ b/engines/m4/wscript/ws_cruncher.cpp
@@ -1403,6 +1403,11 @@ bool CrunchAnim8(Anim8 *myAnim8) {
 		pCodeJmpTable[myInstruction](myAnim8);
 	}
 
+	if (_GWS(bailOut)) {
+		_GWS(bailOut) = false;
+		return true;
+	}
+
 	if (_GWS(terminated)) {
 		if (_GWS(mapTheCel) || (oldR != (int)(myRegs[IDX_R] >> 16)) ||
 				(oldW != (int)(myRegs[IDX_W] >> 16)) || (oldH != (int)(myRegs[IDX_H] >> 16)) ||
diff --git a/engines/m4/wscript/ws_cruncher.h b/engines/m4/wscript/ws_cruncher.h
index f14f7c5d5c7..bea400dac34 100644
--- a/engines/m4/wscript/ws_cruncher.h
+++ b/engines/m4/wscript/ws_cruncher.h
@@ -96,6 +96,7 @@ struct WSCruncher_Globals {
 	frac16 *_myArg3 = nullptr;
 
 	bool _keepProcessing = false, _terminated = false, _mapTheCel = false;
+	bool _bailOut = false;
 	int32 _compareCCR = 0;
 	int32 _indexReg = 0;
 	int32 _pcOffsetOld = 0;

More information about the Scummvm-git-logs mailing list