[Scummvm-tracker] [ScummVM] #10323: FULLPIPE: Main menu, use after free

Bastien Bouclet trac at scummvm.org
Sun Nov 19 06:16:45 CET 2017


#10323: FULLPIPE: Main menu, use after free
--------------------------+------------------------------
Reporter:  bgK            |      Owner:  (none)
    Type:  defect         |     Status:  new
Priority:  normal         |  Component:  Engine: Fullpipe
Keywords:  has-backtrace  |       Game:  Full Pipe
--------------------------+------------------------------
 ScummVM: 64c88d4c4fd069dae321cc576259ef88a7cb2b78
 Game: German full version

 Sometimes the game does an use after free while on the main menu. It's
 unclear to me what action causes it to misbehave.

 {{{
 ==7640==ERROR: AddressSanitizer: heap-use-after-free on address
 0x61100042035c at pc 0x55b69f5a749b bp 0x7ffd54628300 sp 0x7ffd546282f0
 READ of size 4 at 0x61100042035c thread T0
     #0 0x55b69f5a749a in Common::Array<int>::size() const
 ../common/array.h:214
     #1 0x55b69f5ffc52 in Fullpipe::Bitmap::putDibCB(unsigned char*,
 Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:892
     #2 0x55b69f5fef53 in Fullpipe::Bitmap::decode(unsigned char*,
 Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:745
     #3 0x55b69f5fc26d in Fullpipe::Picture::getDibInfo()
 ../engines/fullpipe/gfx.cpp:524
     #4 0x55b69f5fbdea in Fullpipe::Picture::init()
 ../engines/fullpipe/gfx.cpp:492
     #5 0x55b69f5fd7af in Fullpipe::Picture::isPixelHitAtPos(int, int)
 ../engines/fullpipe/gfx.cpp:653
     #6 0x55b69f5f8072 in Fullpipe::PictureObject::isPixelHitAtPos(int,
 int) ../engines/fullpipe/gfx.cpp:200
     #7 0x55b69f651e27 in
 Fullpipe::ModalMainMenu::checkHover(Common::Point&)
 ../engines/fullpipe/modal.cpp:1636
     #8 0x55b69f6508f0 in Fullpipe::ModalMainMenu::init(int)
 ../engines/fullpipe/modal.cpp:1491
     #9 0x55b69f5e17c2 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:484
     #10 0x55b69f5df200 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #11 0x55b69f5b0597 in runGame ../base/main.cpp:263
     #12 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
     #13 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #14 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
     #15 0x55b69f5a11f9 in _start
 (/home/bastien/dev/scummvm/build/scummvm+0x1061f9)

 0x61100042035c is located 92 bytes inside of 256-byte region
 [0x611000420300,0x611000420400)
 freed by thread T0 here:
     #0 0x7f62ee7243c9 in operator delete(void*)
 /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:124
     #1 0x55b69f698c81 in Fullpipe::Scene::~Scene()
 ../engines/fullpipe/scene.cpp:129
     #2 0x55b69f5eb7e2 in Fullpipe::GameLoader::unloadScene(int)
 ../engines/fullpipe/gameloader.cpp:421
     #3 0x55b69f64ff78 in Fullpipe::ModalMainMenu::init(int)
 ../engines/fullpipe/modal.cpp:1433
     #4 0x55b69f5e17c2 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:484
     #5 0x55b69f5df200 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #6 0x55b69f5b0597 in runGame ../base/main.cpp:263
     #7 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
     #8 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #9 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)

 previously allocated by thread T0 here:
     #0 0x7f62ee723489 in operator new(unsigned long)
 /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:80
     #1 0x55b69f6985e6 in Fullpipe::SceneTag::loadScene()
 ../engines/fullpipe/scene.cpp:101
     #2 0x55b69f697a16 in Fullpipe::FullpipeEngine::accessScene(int)
 ../engines/fullpipe/scene.cpp:52
     #3 0x55b69f64d072 in Fullpipe::ModalMainMenu::ModalMainMenu()
 ../engines/fullpipe/modal.cpp:1240
     #4 0x55b69f65c7b7 in Fullpipe::FullpipeEngine::openMainMenu()
 ../engines/fullpipe/modal.cpp:2489
     #5 0x55b69f62c7ef in
 Fullpipe::global_messageHandler1(Fullpipe::ExCommand*)
 ../engines/fullpipe/messagehandlers.cpp:164
     #6 0x55b69f636000 in Fullpipe::ExCommand::handleMessage()
 ../engines/fullpipe/messages.cpp:93
     #7 0x55b69f63d300 in Fullpipe::processMessages()
 ../engines/fullpipe/messages.cpp:875
     #8 0x55b69f5ecfd2 in Fullpipe::GameLoader::updateSystems(int)
 ../engines/fullpipe/gameloader.cpp:568
     #9 0x55b69f5e1697 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:482
     #10 0x55b69f5df200 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #11 0x55b69f5b0597 in runGame ../base/main.cpp:263
     #12 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
     #13 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #14 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
 }}}

--
Ticket URL: <https://bugs.scummvm.org/ticket/10323>
ScummVM <https://bugs.scummvm.org>
ScummVM


More information about the Scummvm-tracker mailing list