[Scummvm-tracker] [ScummVM :: Bugs] #12776: SCUMM: Use after free error in DOTT intro
ScummVM :: Bugs
trac at scummvm.org
Sun Aug 1 22:04:53 UTC 2021
#12776: SCUMM: Use after free error in DOTT intro
-------------------+----------------------------------
Reporter: criezy | Owner: (none)
Type: defect | Status: new
Priority: normal | Component: Engine: SCUMM
Version: | Resolution:
Keywords: | Game: Day of the Tentacle
-------------------+----------------------------------
Comment (by criezy):
This particular issue was introduced in 0af83d3faa (KYRA/MIDI: Fix minor
MT-32/GM issues).
However even before that commit there was already a use after free error,
just not in the same place (one level above in MidiParser::onTimer()).
The core of the issue is that on line 280 of `MidiParser::processEvent()`
the call to `_driver->sysExNoDelay()` results in a
`Scumm::IMuseInternal::stopSound_internal()` that deletes the MidiDriver.
So any code in the MiDiDriver that gets executed after that line and
accesses a member variable results in a use after free error.
I have however no idea how that could be fixed. Could
`Scumm::IMuseInternal::stopSound_internal()` delay the deletion of the
`MidiDriver` for example?
--
Ticket URL: <https://bugs.scummvm.org/ticket/12776#comment:3>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM
More information about the Scummvm-tracker
mailing list