[Scummvm-tracker] [ScummVM :: Bugs] #15856: DGDS: HoC (DE) Crash in Scene 2 Chengdu

ScummVM :: Bugs trac at scummvm.org
Tue Apr 8 06:57:01 UTC 2025 

#15856: DGDS: HoC (DE) Crash in Scene 2 Chengdu
--------------------------+-----------------------------
Reporter:  Commodusaurel  |       Owner:  (none)
    Type:  defect         |      Status:  new
Priority:  normal         |   Component:  Engine: DGDS
 Version:                 |  Resolution:
Keywords:  Crash          |        Game:  Heart of China
--------------------------+-----------------------------
Comment (by mduggan):

 Thanks for the attachment!  This seems to be a problem with the MIDI
 parser - it's going off the end of the buffer.  The song is `FORTOUT.SNG`.
 It's happening at like 505 of midiparser_sci.cpp, which is:
 {{{
         case 0xB:
                 info.basic.param1 = *(playPos++);
 }}}
 where `playPos` has gone off the end of the buffer.

 Here is abbreviated the address sanitiser output:
 {{{
 =================================================================
 ==47541==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x607000248bf0 at pc 0x000100247970 bp 0x0001705bf550 sp 0x0001705bf548
 READ of size 1 at 0x607000248bf0 thread T21
     #0 0x00010024796c in
 Dgds::MidiParser_SCI::parseNextEvent(EventInfo&)+0x1148
     #1 0x000102932474 in MidiParser::onTimer()+0x26a4
     #2 0x00010025ae98 in Dgds::MusicEntry::onTimer()+0x4b4
     #3 0x000100253984 in Dgds::SciMusic::onTimer()+0x2cc
     #4 0x000100253618 in Dgds::SciMusic::miditimerCallback(void*)+0x20c
     #5 0x00010288f360 in MidiDriver_Emulated::readBuffer(short*,
 int)+0x5d8
     (... audio thread stack ...)

 0x607000248bf0 is located 0 bytes after 80-byte region
 [0x607000248ba0,0x607000248bf0)
 allocated by thread T0 here:
     #0 0x00010e03b804 in _Znam+0x74
     #1 0x0001001c4c68 in Common::SpanImpl<unsigned char const,
 Dgds::SciSpan>::allocate(unsigned int)+0x13c
     #2 0x0001002421cc in Common::NamedSpanImpl<unsigned char const,
 Dgds::SciSpan>::allocate(unsigned int, Common::String const&)+0x98
     #3 0x00010023f5b8 in Dgds::MidiParser_SCI::midiMixChannels()+0x11a0
     #4 0x00010023e044 in
 Dgds::MidiParser_SCI::loadMusic(Dgds::SoundResource::Track*,
 Dgds::MusicEntry*, int)+0x634
     #5 0x000100269e40 in
 Dgds::SciMusic::soundInitSnd(Dgds::MusicEntry*)+0x59c4
     #6 0x00010045cbcc in Dgds::Sound::initSoundResource(Dgds::MusicEntry*,
 Dgds::SoundData const&, Audio::Mixer::SoundType)+0xb18
     #7 0x00010045be84 in Dgds::Sound::processInitSound(unsigned int,
 Dgds::SoundData const&, Audio::Mixer::SoundType)+0x788
     #8 0x00010045a3c8 in Dgds::Sound::playPCSound(int,
 Common::Array<Dgds::SoundData> const&, Audio::Mixer::SoundType)+0x630
     #9 0x000100459d88 in Dgds::Sound::playSFX(int)+0x140
     #10 0x000100479f24 in
 Dgds::TTMInterpreter::handleOperation(Dgds::TTMEnviro&, Dgds::TTMSeq&,
 unsigned short, unsigned char, short const*, Common::String const&,
 Common::Array<Common::Point> const&)+0x31fc
     (... engine stack ...)
 }}}
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/15856#comment:4>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list