[Scummvm-tracker] [ScummVM] #9880: TITANIC: Starship Titanic: Deskbot crash on return respond
    Willem Jan Palenstijn 
    trac at scummvm.org
       
    Tue Jul 11 00:14:21 CEST 2017
    
    
  
#9880: TITANIC: Starship Titanic: Deskbot crash on return respond
-------------------------------+-----------------------------
  Reporter:  dafioram          |      Owner:  dreammaster
      Type:  defect            |     Status:  new
  Priority:  high              |  Component:  Engine: Titanic
Resolution:                    |   Keywords:
      Game:  Starship Titanic  |
-------------------------------+-----------------------------
Comment (by wjp):
 The problem might be that `TTquotesTree::search` seems to expect its
 `TTtreeResult *buffer` to be a buffer of multiple `TTtreeResult` objects.
 (Since `search1` happily access `buffer + 1` and further by recursing.)
 `DeskbotScript::searchQuotes()` calls it with only a single `TTtreeResult`
 object.
 Other functions seem to call it with a similar pattern.
 Valgrind points at two more suspicious things here, although I suspect the
 one above is the actual culprit: `CWaveFile::audioStream` tells the
 `MemoryReadStream` to dispose of `_waveData` at end with `free`, even
 though it is allocated with `new[]`. And `TTparser::filterConcepts`
 accesses deleted data when doing `currP = currP->_nextP` after deleting
 `currP` in `removeConcept(currP)`.
--
Ticket URL: <https://bugs.scummvm.org/ticket/9880#comment:5>
ScummVM <https://bugs.scummvm.org>
ScummVM
    
    
More information about the Scummvm-tracker
mailing list