[Scummvm-tracker] [ScummVM] #10236: TITANIC: use-after-free in QSoundManager on engine shutdown
Colin Snover
trac at scummvm.org
Sun Sep 24 19:24:45 CEST 2017
#10236: TITANIC: use-after-free in QSoundManager on engine shutdown
--------------------+------------------------------
Reporter: csnover | Owner: (none)
Type: defect | Status: new
Priority: normal | Component: Engine: Titanic
Keywords: | Game: Starship Titanic
--------------------+------------------------------
RTL from top of the well causes double-free.
{{{
#5 0x00000001003a7245 in Titanic::CWaveFile::~CWaveFile() at
scummvm/engines/titanic/sound/wave_file.cpp:76
#6 0x00000001003a7425 in Titanic::CWaveFile::~CWaveFile() at
scummvm/engines/titanic/sound/wave_file.cpp:74
#7 0x00000001003834bd in
Titanic::QMixer::ChannelEntry::~ChannelEntry() at
scummvm/engines/titanic/sound/qmixer.cpp:246
#8 0x0000000100383595 in
Titanic::QMixer::ChannelEntry::~ChannelEntry() at
scummvm/engines/titanic/sound/qmixer.cpp:244
#9 0x0000000100383afb in
Common::Array<Titanic::QMixer::ChannelEntry>::freeStorage(Titanic::QMixer::ChannelEntry*,
unsigned int) at scummvm/./common/array.h:318
#10 0x000000010037f036 in
Common::Array<Titanic::QMixer::ChannelEntry>::clear() at
scummvm/./common/array.h:217
#11 0x000000010037f67c in Titanic::QMixer::qsWaveMixCloseSession() at
scummvm/engines/titanic/sound/qmixer.cpp:60
#12 0x0000000100396be9 in Titanic::QSoundManager::~QSoundManager() at
scummvm/engines/titanic/sound/sound_manager.cpp:119
#13 0x0000000100396c95 in Titanic::QSoundManager::~QSoundManager() at
scummvm/engines/titanic/sound/sound_manager.cpp:117
#14 0x000000010058f123 in Titanic::CSound::~CSound() at
scummvm/engines/titanic/sound/sound.h:60
#15 0x00000001005885c5 in Titanic::CSound::~CSound() at
scummvm/engines/titanic/sound/sound.h:60
#16 0x000000010058824b in Titanic::CGameManager::~CGameManager() at
scummvm/engines/titanic/game_manager.cpp:56
#17 0x0000000100588625 in Titanic::CGameManager::~CGameManager() at
scummvm/engines/titanic/game_manager.cpp:50
#18 0x000000010059cf77 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:53
#19 0x000000010059d065 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:51
#20 0x000000010059d089 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:51
#21 0x00000001005a7fab in Titanic::TitanicEngine::deinitialize() at
scummvm/engines/titanic/titanic.cpp:134
#22 0x00000001005a82ab in Titanic::TitanicEngine::run() at
scummvm/engines/titanic/titanic.cpp:160
#23 0x00000001008c9251 in runGame(PluginSubclass<MetaEngine> const*,
OSystem&, Common::String const&) at scummvm/base/main.cpp:263
}}}
Memory already deallocated at:
{{{
#1 0x00000001003834c5 in
Titanic::QMixer::ChannelEntry::~ChannelEntry() at
scummvm/engines/titanic/sound/qmixer.cpp:246
#2 0x0000000100383594 in
Titanic::QMixer::ChannelEntry::~ChannelEntry() at
scummvm/engines/titanic/sound/qmixer.cpp:244
#3 0x0000000100383afa in
Common::Array<Titanic::QMixer::ChannelEntry>::freeStorage(Titanic::QMixer::ChannelEntry*,
unsigned int) at scummvm/./common/array.h:318
#4 0x000000010037f035 in
Common::Array<Titanic::QMixer::ChannelEntry>::clear() at
scummvm/./common/array.h:217
#5 0x000000010037f67b in Titanic::QMixer::qsWaveMixCloseSession() at
scummvm/engines/titanic/sound/qmixer.cpp:60
#6 0x0000000100396be8 in Titanic::QSoundManager::~QSoundManager() at
scummvm/engines/titanic/sound/sound_manager.cpp:119
#7 0x0000000100396c94 in Titanic::QSoundManager::~QSoundManager() at
scummvm/engines/titanic/sound/sound_manager.cpp:117
#8 0x000000010058f122 in Titanic::CSound::~CSound() at
scummvm/engines/titanic/sound/sound.h:60
#9 0x00000001005885c4 in Titanic::CSound::~CSound() at
scummvm/engines/titanic/sound/sound.h:60
#10 0x000000010058824a in Titanic::CGameManager::~CGameManager() at
scummvm/engines/titanic/game_manager.cpp:56
#11 0x0000000100588624 in Titanic::CGameManager::~CGameManager() at
scummvm/engines/titanic/game_manager.cpp:50
#12 0x000000010059cf76 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:53
#13 0x000000010059d064 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:51
#14 0x000000010059d088 in Titanic::CMainGameWindow::~CMainGameWindow()
at scummvm/engines/titanic/main_game_window.cpp:51
#15 0x00000001005a7faa in Titanic::TitanicEngine::deinitialize() at
scummvm/engines/titanic/titanic.cpp:134
#16 0x00000001005a82aa in Titanic::TitanicEngine::run() at
scummvm/engines/titanic/titanic.cpp:160
#17 0x00000001008c9250 in runGame(PluginSubclass<MetaEngine> const*,
OSystem&, Common::String const&) at scummvm/base/main.cpp:263
}}}
Memory allocated by:
{{{
#1 0x0000000100396e37 in
Titanic::QSoundManager::loadSound(Titanic::CString const&) at
scummvm/engines/titanic/sound/sound_manager.cpp:123
#2 0x0000000100390759 in Titanic::CSound::loadSound(Titanic::CString
const&) at scummvm/engines/titanic/sound/sound.cpp:138
#3 0x0000000100390bca in Titanic::CSound::playSound(Titanic::CString
const&, Titanic::CProximity&) at
scummvm/engines/titanic/sound/sound.cpp:158
#4 0x000000010005964a in
Titanic::CGameObject::playSound(Titanic::CString const&,
Titanic::CProximity&) at scummvm/engines/titanic/core/game_object.cpp:804
#5 0x000000010036049c in
Titanic::CAutoSoundPlayer::TurnOn(Titanic::CTurnOn*) at
scummvm/engines/titanic/sound/auto_sound_player.cpp:81
#6 0x0000000100266d93 in
Titanic::CMessage::perform(Titanic::CTreeItem*) at
scummvm/engines/titanic/messages/messages.cpp:107
#7 0x00000001002660ce in
Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*,
int) at scummvm/engines/titanic/messages/messages.cpp:60
#8 0x0000000100386ffb in
Titanic::CRoomAutoSoundPlayer::EnterRoomMsg(Titanic::CEnterRoomMsg*) at
scummvm/engines/titanic/sound/room_auto_sound_player.cpp:46
#9 0x0000000100266d93 in
Titanic::CMessage::perform(Titanic::CTreeItem*) at
scummvm/engines/titanic/messages/messages.cpp:107
#10 0x00000001002660ce in
Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*,
int) at scummvm/engines/titanic/messages/messages.cpp:60
#11 0x0000000100117af2 in
Titanic::CViewItem::enterView(Titanic::CViewItem*) at
scummvm/engines/titanic/core/view_item.cpp:163
#12 0x0000000100593e43 in
Titanic::CGameState::changeView(Titanic::CViewItem*, Titanic::CMovieClip*)
at scummvm/engines/titanic/game_state.cpp:153
#13 0x0000000100084328 in
Titanic::CProjectItem::changeView(Titanic::CString const&,
Titanic::CString const&) at
scummvm/engines/titanic/core/project_item.cpp:655
#14 0x0000000100060967 in
Titanic::CGameObject::changeView(Titanic::CString const&) at
scummvm/engines/titanic/core/game_object.cpp:1219
#15 0x000000010027e436 in
Titanic::CRestrictedMove::MouseButtonDownMsg(Titanic::CMouseButtonDownMsg*)
at scummvm/engines/titanic/moves/restricted_move.cpp:54
#16 0x0000000100266d93 in
Titanic::CMessage::perform(Titanic::CTreeItem*) at
scummvm/engines/titanic/messages/messages.cpp:107
#17 0x00000001002660ce in
Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*,
int) at scummvm/engines/titanic/messages/messages.cpp:60
#18 0x0000000100118d9f in
Titanic::CViewItem::handleMouseMsg(Titanic::CMouseMsg*, bool) at
scummvm/engines/titanic/core/view_item.cpp:295
#19 0x00000001001139b1 in
Titanic::CViewItem::MouseButtonDownMsg(Titanic::CMouseButtonDownMsg*) at
scummvm/engines/titanic/core/view_item.cpp:190
#20 0x0000000100266d93 in
Titanic::CMessage::perform(Titanic::CTreeItem*) at
scummvm/engines/titanic/messages/messages.cpp:107
#21 0x00000001002660ce in
Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*,
int) at scummvm/engines/titanic/messages/messages.cpp:60
#22 0x00000001005993a1 in
Titanic::CInputHandler::dispatchMessage(Titanic::CMessage*) at
scummvm/engines/titanic/input_handler.cpp:156
#23 0x0000000100597992 in
Titanic::CInputHandler::processMessage(Titanic::CMessage*) at
scummvm/engines/titanic/input_handler.cpp:84
#24 0x00000001005974f6 in
Titanic::CInputHandler::handleMessage(Titanic::CMessage&, bool) at
scummvm/engines/titanic/input_handler.cpp:72
#25 0x000000010059a4a1 in
Titanic::CInputTranslator::leftButtonDown(int, Common::Point const&) at
scummvm/engines/titanic/input_translator.cpp:55
#26 0x00000001005a0e6a in
Titanic::CMainGameWindow::leftButtonDown(Common::Point const&) at
scummvm/engines/titanic/main_game_window.cpp:294
#27 0x0000000100581b72 in Titanic::Events::pollEvents() at
scummvm/engines/titanic/events.cpp:61
#28 0x000000010058357f in Titanic::Events::pollEventsAndWait() at
scummvm/engines/titanic/events.cpp:112
#29 0x00000001005a829c in Titanic::TitanicEngine::run() at
scummvm/engines/titanic/titanic.cpp:157
}}}
Build 1.10.0git-5034-ge816841e8e
--
Ticket URL: <https://bugs.scummvm.org/ticket/10236>
ScummVM <https://bugs.scummvm.org>
ScummVM
More information about the Scummvm-tracker
mailing list