[Scummvm-tracker] [ScummVM :: Bugs] #12329: IOS: MP3 playback failing, libmad writing out of bounds

ScummVM :: Bugs trac at scummvm.org
Tue Mar 16 02:20:41 UTC 2021 

#12329: IOS: MP3 playback failing, libmad writing out of bounds
---------------------------+-----------------------
Reporter:  sluicebox       |      Owner:  (none)
    Type:  defect          |     Status:  new
Priority:  normal          |  Component:  Port: iOS
 Version:                  |   Keywords:
    Game:  King's Quest 6  |
---------------------------+-----------------------
 I've ripped and encoded the King's Quest 6 end credits CD track to
 track1.mp3 but the IOS build crashes immediately upon playback. Windows
 and Mac builds work. I've tried several unrelated mp3s. Failure occurs
 during construction of MP3Stream due to libmad's mad_synth_frame() writing
 beyond its struct and corrupting adjacent values. This looks unrelated to
 the game or CD-audio context in which it's being used. I think any mp3
 playback with MP3Stream would crash.


 {{{
 class BaseMP3Stream : public virtual AudioStream {
         ...
         mad_synth _synth;
         uint _channels; // overwritten with 0 by mad_synth_frame()
         uint _rate;     // overwritten with 0 by mad_synth_frame()
 }}}


 I debugged this sequence:

 1. MP3Stream constructor correctly sets _rate to 441000
 2. MP3Stream constructor calls BaseMP3Stream::decodeMP3Data()
 3. BaseMP3Stream::decodeMP3Data() calls mad_synth_frame(&_synth, &_frame)
 which overwrites _channels and _rate with zero
 4. Audio::Timestamp fails an assertion because 0 is an illegal rate

 I'm building with Xcode 12.4 (latest) on an M1 with macos 11.2.3 (latest)
 for an iphone 12 mini with ios 14.4.1. I'm using the instructions on the
 wiki and scummvm-ios7-libs-v2.zip. I tripped this a few months ago with
 earlier versions and now got around to debugging it.

 To reproduce with attached KQ6 CD save:
 1. Name any mp3 "track1.mp3" and put it in the game directory
 2. Set "Text and speech" to Speech in ScummVM Audio options (Subtitles
 will trigger alternate credits without music)
 3. Load the save and wait three seconds

 I suspect that any MP3Stream usage from any engine will trigger this. I'm
 hoping something is just off about the prebuilt libmad. Happy to help
 test.
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/12329>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list