[Scummvm-tracker] [ScummVM] #10090: TITANIC: heap use-after-free loading a save game during TrueTalk video playback

Colin Snover trac at scummvm.org
Wed Aug 9 05:50:35 CEST 2017


#10090: TITANIC: heap use-after-free loading a save game during TrueTalk video
playback
--------------------+------------------------------
Reporter:  csnover  |      Owner:  (none)
    Type:  defect   |     Status:  new
Priority:  normal   |  Component:  Engine: Titanic
Keywords:           |       Game:  Starship Titanic
--------------------+------------------------------
 Build: 6fac0ace2c844aa68c2482362021981ed1db931b + PR 975, macOS 10.11, SDL
 2.0.5, ASan on

 Reproduction:

 1. Load attached save game
 2. Click on Marsinta
 3. Change PET to settings panel
 4. Click load game icon in settings panel
 5. Highlight save game to load (any game is fine)
 6. Wait until “Welcome guest number…”
 7. Click Load button to load save game

 Expected: No memory bug
 Actual: Memory bug

 Backtrace:

 {{{
 #6      0x00000001002c42d6 in Titanic::TTtalker::endSpeech(int) at
 scummvm/engines/titanic/true_talk/tt_talker.cpp:49
 #7      0x00000001001dad70 in
 Titanic::QSoundManagerSounds::flushChannel(int) at
 scummvm/engines/titanic/sound/sound_manager.cpp:60
 #8      0x00000001001dc5dd in Titanic::QSoundManager::stopAllChannels() at
 scummvm/engines/titanic/sound/sound_manager.cpp:240
 #9      0x00000001001d84f8 in Titanic::CSound::preLoad() at
 scummvm/engines/titanic/sound/sound.cpp:43
 #10     0x000000010003d29b in Titanic::CProjectItem::preLoad() at
 scummvm/engines/titanic/core/project_item.cpp:324
 #11     0x000000010003ccb8 in Titanic::CProjectItem::loadGame(int) at
 scummvm/engines/titanic/core/project_item.cpp:173
 #12     0x00000001002df561 in Titanic::CMainGameWindow::draw() at
 scummvm/engines/titanic/main_game_window.cpp:158
 #13     0x00000001002d58e2 in Titanic::CGameManager::update() at
 scummvm/engines/titanic/game_manager.cpp:203
 #14     0x00000001002d1766 in Titanic::Events::pollEvents() at
 scummvm/engines/titanic/events.cpp:103
 #15     0x00000001002d20a1 in Titanic::Events::pollEventsAndWait() at
 scummvm/engines/titanic/events.cpp:109
 #16     0x00000001002e571d in Titanic::TitanicEngine::run() at
 scummvm/engines/titanic/titanic.cpp:144
 #17     0x000000010047ecf7 in runGame(PluginSubclass<MetaEngine> const*,
 OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
 #18     0x000000010047eb14 in ::scummvm_main(int, const char *const *) at
 scummvm/base/main.cpp:529
 #19     0x000000010045052a in main at scummvm/backends/platform/sdl/macosx
 /macosx-main.cpp:45
 }}}

 ASan report:

 {{{
 Memory deallocated at (1)#0     0x000000010129e87b in wrap__ZdlPv ()
 #1      0x000000010029593b in Titanic::CTrueTalkManager::preLoad() at
 scummvm/engines/titanic/true_talk/true_talk_manager.cpp:205
 #2      0x00000001002d4140 in Titanic::CGameManager::preLoad() at
 scummvm/engines/titanic/game_manager.cpp:84
 #3      0x000000010003d29a in Titanic::CProjectItem::preLoad() at
 scummvm/engines/titanic/core/project_item.cpp:324
 #4      0x000000010003ccb7 in Titanic::CProjectItem::loadGame(int) at
 scummvm/engines/titanic/core/project_item.cpp:173
 #5      0x00000001002df560 in Titanic::CMainGameWindow::draw() at
 scummvm/engines/titanic/main_game_window.cpp:158
 #6      0x00000001002d58e1 in Titanic::CGameManager::update() at
 scummvm/engines/titanic/game_manager.cpp:203
 #7      0x00000001002d1765 in Titanic::Events::pollEvents() at
 scummvm/engines/titanic/events.cpp:103
 #8      0x00000001002d20a0 in Titanic::Events::pollEventsAndWait() at
 scummvm/engines/titanic/events.cpp:109
 #9      0x00000001002e571c in Titanic::TitanicEngine::run() at
 scummvm/engines/titanic/titanic.cpp:144
 #10     0x000000010047ecf6 in runGame(PluginSubclass<MetaEngine> const*,
 OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
 #11     0x000000010047eb14 in ::scummvm_main(int, const char *const *) at
 scummvm/base/main.cpp:529
 #12     0x0000000100450529 in main at scummvm/backends/platform/sdl/macosx
 /macosx-main.cpp:45
 #13     0x00007fff9b7b05ac in tlv_get_addr ()
 #14     0x0000000000000002 in 0x00000002 ()

 Memory allocated at (1)#0       0x000000010129e2bb in wrap__Znwm ()
 #1      0x0000000100296236 in
 Titanic::CTrueTalkManager::setDialogue(Titanic::CTrueTalkNPC*,
 Titanic::TTroomScript*, Titanic::CViewItem*) at
 scummvm/engines/titanic/true_talk/true_talk_manager.cpp:351
 #2      0x0000000100033b59 in
 Titanic::CGameObject::setTalking(Titanic::CTrueTalkNPC*, bool,
 Titanic::CViewItem*) at scummvm/engines/titanic/core/game_object.cpp:1670
 #3      0x000000010016505f in
 Titanic::CDeskbot::MovieEndMsg(Titanic::CMovieEndMsg*) at
 scummvm/engines/titanic/npcs/deskbot.cpp:151
 #4      0x00000001001443a0 in
 Titanic::CMessage::perform(Titanic::CTreeItem*) at
 scummvm/engines/titanic/messages/messages.cpp:105
 #5      0x0000000100143ef3 in
 Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*,
 int) at scummvm/engines/titanic/messages/messages.cpp:58
 #6      0x00000001002d5fe3 in Titanic::CGameManager::updateMovies() at
 scummvm/engines/titanic/game_manager.cpp:241
 #7      0x00000001002d54ea in Titanic::CGameManager::update() at
 scummvm/engines/titanic/game_manager.cpp:167
 #8      0x00000001002dfef8 in Titanic::CMainGameWindow::onIdle() at
 scummvm/engines/titanic/main_game_window.cpp:248
 #9      0x00000001002d1e04 in Titanic::Events::checkForNextFrameCounter()
 at scummvm/engines/titanic/events.cpp:139
 #10     0x00000001002d0dff in Titanic::Events::pollEvents() at
 scummvm/engines/titanic/events.cpp:41
 #11     0x00000001002d20a0 in Titanic::Events::pollEventsAndWait() at
 scummvm/engines/titanic/events.cpp:109
 #12     0x00000001002e571c in Titanic::TitanicEngine::run() at
 scummvm/engines/titanic/titanic.cpp:144
 #13     0x000000010047ecf6 in runGame(PluginSubclass<MetaEngine> const*,
 OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
 #14     0x000000010047eb14 in ::scummvm_main(int, const char *const *) at
 scummvm/base/main.cpp:529
 #15     0x0000000100450529 in main at scummvm/backends/platform/sdl/macosx
 /macosx-main.cpp:45
 #16     0x00007fff9b7b05ac in tlv_get_addr ()
 #17     0x0000000000000002 in 0x00000002 ()
 }}}

--
Ticket URL: <https://bugs.scummvm.org/ticket/10090>
ScummVM <https://bugs.scummvm.org>
ScummVM


More information about the Scummvm-tracker mailing list