[Scummvm-tracker] [ScummVM] #10330: FULLPIPE: Credits, use after free

Bastien Bouclet trac at scummvm.org
Sat Nov 25 19:30:06 CET 2017 

#10330: FULLPIPE: Credits, use after free
--------------------------+------------------------------
Reporter:  bgK            |      Owner:  (none)
    Type:  defect         |     Status:  new
Priority:  blocker        |  Component:  Engine: Fullpipe
Keywords:  has-backtrace  |       Game:  Full Pipe
--------------------------+------------------------------
 ScummVM: Linux / 883fd87e8f665c5621f88d7ca8e0c27cbc274ed8
 Game: Fullpipe German full version

 Fullpipe does an use after free just before the credits when completing
 the game.

 {{{
 ==16300==ERROR: AddressSanitizer: heap-use-after-free on address
 0x61100018339c at pc 0x55c81b2f377b bp 0x7ffddeec0200 sp 0x7ffddeec01f0
 READ of size 4 at 0x61100018339c thread T0
     #0 0x55c81b2f377a in Common::Array<int>::size() const
 ../common/array.h:214
     #1 0x55c81b34bf32 in Fullpipe::Bitmap::putDibCB(unsigned char*,
 Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:892
     #2 0x55c81b34b233 in Fullpipe::Bitmap::decode(unsigned char*,
 Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:745
     #3 0x55c81b34854d in Fullpipe::Picture::getDibInfo()
 ../engines/fullpipe/gfx.cpp:524
     #4 0x55c81b3480ca in Fullpipe::Picture::init()
 ../engines/fullpipe/gfx.cpp:492
     #5 0x55c81b34d79e in Fullpipe::BigPicture::draw(int, int, int, int)
 ../engines/fullpipe/gfx.cpp:1081
     #6 0x55c81b3ea9c6 in Fullpipe::Scene::drawContent(int, int, bool)
 ../engines/fullpipe/scene.cpp:723
     #7 0x55c81b3e8726 in Fullpipe::Scene::draw()
 ../engines/fullpipe/scene.cpp:511
     #8 0x55c81b34e7e7 in
 Fullpipe::FullpipeEngine::sceneFade(Fullpipe::Scene*, bool)
 ../engines/fullpipe/gfx.cpp:1185
     #9 0x55c81b398f39 in Fullpipe::ModalCredits::update()
 ../engines/fullpipe/modal.cpp:1221
     #10 0x55c81b32db38 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:485
     #11 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #12 0x55c81b2fc877 in runGame ../base/main.cpp:263
     #13 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
     #14 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #15 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
     #16 0x55c81b2ed399 in _start
 (/home/bastien/dev/scummvm/build/scummvm+0x106399)

 0x61100018339c is located 92 bytes inside of 256-byte region
 [0x611000183340,0x611000183440)
 freed by thread T0 here:
     #0 0x7f575363d3c9 in operator delete(void*)
 /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:124
     #1 0x55c81b3e4f5b in Fullpipe::Scene::~Scene()
 ../engines/fullpipe/scene.cpp:129
     #2 0x55c81b337ac2 in Fullpipe::GameLoader::unloadScene(int)
 ../engines/fullpipe/gameloader.cpp:421
     #3 0x55c81b397b14 in Fullpipe::ModalFinal::unloadScenes()
 ../engines/fullpipe/modal.cpp:1100
     #4 0x55c81b3979b1 in Fullpipe::ModalFinal::init(int)
 ../engines/fullpipe/modal.cpp:1090
     #5 0x55c81b32daa2 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:484
     #6 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #7 0x55c81b2fc877 in runGame ../base/main.cpp:263
     #8 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
     #9 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #10 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)

 previously allocated by thread T0 here:
     #0 0x7f575363c489 in operator new(unsigned long)
 /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:80
     #1 0x55c81b3e48c0 in Fullpipe::SceneTag::loadScene()
 ../engines/fullpipe/scene.cpp:101
     #2 0x55c81b3349fa in Fullpipe::GameLoader::loadScene(int)
 ../engines/fullpipe/gameloader.cpp:162
     #3 0x55c81b50b82b in Fullpipe::sceneFinal_initScene()
 ../engines/fullpipe/scenes/sceneFinal.cpp:47
     #4 0x55c81b3fbcb9 in
 Fullpipe::FullpipeEngine::sceneSwitcher(Fullpipe::EntranceInfo const&)
 ../engines/fullpipe/scenes.cpp:1100
     #5 0x55c81b3353e6 in Fullpipe::GameLoader::gotoScene(int, int)
 ../engines/fullpipe/gameloader.cpp:210
     #6 0x55c81b37a917 in
 Fullpipe::global_messageHandler3(Fullpipe::ExCommand*)
 ../engines/fullpipe/messagehandlers.cpp:379
     #7 0x55c81b3822da in Fullpipe::ExCommand::handleMessage()
 ../engines/fullpipe/messages.cpp:93
     #8 0x55c81b3895da in Fullpipe::processMessages()
 ../engines/fullpipe/messages.cpp:875
     #9 0x55c81b3392b2 in Fullpipe::GameLoader::updateSystems(int)
 ../engines/fullpipe/gameloader.cpp:568
     #10 0x55c81b32d977 in Fullpipe::FullpipeEngine::updateScreen()
 ../engines/fullpipe/fullpipe.cpp:482
     #11 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run()
 ../engines/fullpipe/fullpipe.cpp:303
     #12 0x55c81b2fc877 in runGame ../base/main.cpp:263
     #13 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
     #14 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-
 main.cpp:45
     #15 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
 }}}

 Steps to reproduce:
 - Load the attached save
 - Pick up the coin

 This might be a duplicate of #10323.

--
Ticket URL: <https://bugs.scummvm.org/ticket/10330>
ScummVM <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list