[Scummvm-tracker] [ScummVM] #9653: FULLPIPE: Irregular crash when starting

Sun Nov 19 23:43:48 CET 2017

#9653: FULLPIPE: Irregular crash when starting
--------------------------+------------------------------
  Reporter:  windlepoons  |      Owner:  (none)
      Type:  defect       |     Status:  new
  Priority:  blocker      |  Component:  Engine: Fullpipe
Resolution:               |   Keywords:  has-backtrace
      Game:               |
--------------------------+------------------------------

Comment (by csnover):

 After fixing the data race I now find the MP3 decoder usually doing an
 out-of-bounds read and crash:

 1. The `_synth.pcm.length` size is larger than the fixed-size buffers in
 `mad_pcm` so using that unchecked in `BaseMP3Stream::fillBuffer` causes an
 out-of-bounds read of the sample buffers.
 2. libmad itself is crashing at frame.c:453 with an out-of-bounds read
 because it does no bounds checking and has apparently a bad value for the
 header’s `layer` type that is out of range. Not sure yet if this is
 because the header has not been properly initialised or because it has
 been initialised with bad data.

 Investigation is ongoing…

--
Ticket URL: <https://bugs.scummvm.org/ticket/9653#comment:7>
ScummVM <https://bugs.scummvm.org>
ScummVM