[Scummvm-tracker] [ScummVM :: Bugs] #15884: SCUMM: INDY4: ASan o5_stringOps() heap buffer-overflow in copy-protection screen

ScummVM :: Bugs trac at scummvm.org
Mon Apr 21 11:37:12 UTC 2025 

#15884: SCUMM: INDY4: ASan o5_stringOps() heap buffer-overflow in copy-protection
screen
----------------------------+---------------------------
Reporter:  dwatteau         |      Owner:  (none)
    Type:  defect           |     Status:  new
Priority:  normal           |  Component:  Engine: SCUMM
 Version:                   |   Keywords:
    Game:  Indiana Jones 4  |
----------------------------+---------------------------
 Current Git HEAD, building with `--enable-asan`.

 How to reproduce:

 * Start a floppy release of Indy4 which had original copy protection (the
 ones I've tested here are: atlantis-fr and atlantis-amiga-fr)
 * Make sure `copy_protection=true` is set
 * Start a new game
 * Press ESC so that you can start solving the copy-protection puzzle
 * Move the cursor at the top of the screen

 The following ASan trace will be triggered:


 {{{
 ==6466==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x611000400626 at pc 0x0001034d72ac bp 0x7ff7bda639c0 sp 0x7ff7bda639b8
 READ of size 1 at 0x611000400626 thread T0
     #0 0x1034d72ab in Scumm::ScummEngine_v5::o5_stringOps()
 script_v5.cpp:3038
     #1 0x1035364e8 in Common::Functor0Mem<void,
 Scumm::ScummEngine_v5>::operator()() const func.h:397
     #2 0x1035e3f58 in Scumm::ScummEngine::executeOpcode(unsigned char)
 script.cpp:527
     #3 0x1035e2be1 in Scumm::ScummEngine::executeScript() script.cpp:520
     #4 0x1035f54b3 in Scumm::ScummEngine::runAllScripts() script.cpp:975
     #5 0x1036acbdf in Scumm::ScummEngine::scummLoop(int) scumm.cpp:2955
     #6 0x1036a46be in Scumm::ScummEngine::go() scumm.cpp:2680
     #7 0x10285d06f in Scumm::ScummEngine::run() scumm.h:572
     #8 0x102525158 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:311
     #9 0x10251750f in scummvm_main main.cpp:796
     #10 0x1024fba5f in main macosx-main.cpp:44
     #11 0x7ff804057417 in start+0x767 (dyld:x86_64+0xfffffffffff6e417)

 0x611000400626 is located 26 bytes before 224-byte region
 [0x611000400640,0x611000400720)
 allocated by thread T0 here:
     #0 0x107d9e71d in wrap__Znam+0x7d
 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xec71d)
     #1 0x1032fddf2 in
 Scumm::ResourceManager::createResource(Scumm::ResType, unsigned short,
 unsigned int) resource.cpp:867
     #2 0x10330a8df in
 Scumm::ScummEngine::loadPtrToResource(Scumm::ResType, unsigned short,
 unsigned char const*) resource.cpp:1170
     #3 0x1034d6296 in Scumm::ScummEngine_v5::o5_stringOps()
 script_v5.cpp:3008
 }}}

 When moving the cursor at such positions, `b` in `o5_stringOps()` below
 will hold values such as `-72`

 {{{
          case 4:
 /* get string char */
                 getResultPos();
                 a = getVarOrDirectByte(PARAM_1);
                 b = getVarOrDirectByte(PARAM_2);
                 ptr = getResourceAddress(rtString, a);
                 if (ptr == nullptr)
                         error("String %d does not exist", a);
                 setResult(ptr[b]); // <== HERE
                 break;
 }}}

 Attaching more details below.
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/15884>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list