[Scummvm-tracker] [ScummVM :: Bugs] #11547: CINE: FW: Game crashes during intro with MT-32 music

ScummVM :: Bugs trac at scummvm.org
Wed Jul 29 12:13:25 UTC 2020 

#11547: CINE: FW: Game crashes during intro with MT-32 music
-------------------------+--------------------------
Reporter:  eriktorbjorn  |      Owner:  (none)
    Type:  defect        |     Status:  new
Priority:  normal        |  Component:  Engine: Cine
Keywords:                |       Game:  Future Wars
-------------------------+--------------------------
 Playing the DOS non-CD version of Future Wars with MT-32 emulation, the
 game crashes during the intro when the bucket falls over. This is the
 final readable part of the backtrace:

 {{{
 #7  0x00005555582e2d3e in SdlMutexManager::unlockMutex(OpaqueMutex*)
     (this=0x0, mutex=0xffffffff5a6eb960) at backends/mutex/sdl/sdl-
 mutex.cpp:40
 #8  0x00005555560edbef in Cine::MidiSoundDriverH32::playSample(unsigned
 char const*, int, int, int)
     (this=0x55555a6eb930, data=0x55555b141cd0 "\200seau__75  \b\b\017",
 size=0, channel=0, volume=80) at engines/cine/sound.cpp:771
 #9  0x00005555560ef878 in Cine::PCSound::playSound(int, int, unsigned char
 const*, int, int, int, int, int)
     (this=0x55555a6c7830, channel=0, frequency=0, data=0x55555b141cd0
 "\200seau__75  \b\b\017", size=0, volumeStep=0, stepCount=0, volume=50,
 repeat=0)
     at engines/cine/sound.cpp:1334
 #10 0x00005555560cb6b6 in Cine::FWScript::o1_playSample()
 (this=0x55555b148cc0)
     at engines/cine/script_fw.cpp:1905
 }}}

 The culprit seems to be this bit in o1_playSample():

 {{{
                 if (size == 0xFFFF) {
                         g_sound->playSound(channel, 0, data, 0, 0, 0,
 volume, 0);
                 } else {
 }}}

 I don't know what the purpose of this is, playing a 0-byte sound effect at
 0 Hz, but when it gets to MidiSoundDriverH32::playSample() it subtracts 1
 from size before passing it on to writeInstrument(). There it uses
 MIN(246, size) for copySize, getting -1, which is then passed as the size
 parameter to memcpy(). That parameter is a size_t, which is apparently
 unsigned. When -1 is cast to unsigned it becomes something very large
 instead. Much larger than the 254-byte buffer it's copying to.
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/11547>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list