[Scummvm-tracker] [ScummVM :: Bugs] #15887: TOLTECS: drawGuiTextMulti() heap buffer-overflow with demo

ScummVM :: Bugs trac at scummvm.org
Mon Apr 21 22:07:08 UTC 2025 

#15887: TOLTECS: drawGuiTextMulti() heap buffer-overflow with demo
------------------------------------+-----------------------------
Reporter:  dwatteau                 |      Owner:  (none)
    Type:  defect                   |     Status:  new
Priority:  normal                   |  Component:  Engine: Toltecs
 Version:                           |   Keywords:
    Game:  3 Skulls of the Toltecs  |
------------------------------------+-----------------------------
 On current Git HEAD.

 How to reproduce:

 * Build with `--enable-asan`
 * Start 'toltecs-demo' (available on our demos page)
 * When the main title screen appears, left click

 The following ASan trace is then triggered:

 {{{
 ==20723==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x62a000071f61 at pc 0x0001007f8f64 bp 0x00016faf5f90 sp 0x00016faf5f88
 READ of size 1 at 0x62a000071f61 thread T0
     #0 0x0001007f8f60 in Toltecs::Screen::drawGuiTextMulti(unsigned char*)
 screen.cpp:524
     #1 0x00010080d8c0 in Toltecs::ScriptInterpreter::sfDrawGuiTextMulti()
 script.cpp:762
     #2 0x00010082d1a0 in Common::Functor0Mem<void,
 Toltecs::ScriptInterpreter>::operator()() const func.h:397
     #3 0x0001008219a0 in
 Toltecs::ScriptInterpreter::execScriptFunction(unsigned short)
 script.cpp:510
     #4 0x00010081a864 in Toltecs::ScriptInterpreter::execOpcode(unsigned
 char) script.cpp:273
     #5 0x00010081a3c4 in Toltecs::ScriptInterpreter::runScript()
 script.cpp:242
     #6 0x0001007b14c8 in Toltecs::ToltecsEngine::run() toltecs.cpp:221
     #7 0x000100363a7c in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:311
     #8 0x00010035802c in scummvm_main main.cpp:796
     #9 0x0001003402ec in main macosx-main.cpp:44
     #10 0x000198b8eb48  (<unknown module>)

 0x62a000071f61 is located 2 bytes after 23903-byte region
 [0x62a00006c200,0x62a000071f5f)
 allocated by thread T0 here:
     #0 0x000104103804 in _Znam+0x74
 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4b804)
     #1 0x000100817e34 in Toltecs::ScriptInterpreter::loadScript(unsigned
 int, unsigned int) script.cpp:188
     #2 0x00010080f5fc in Toltecs::ScriptInterpreter::sfLoadScript()
 script.cpp:812
     #3 0x00010082d1a0 in Common::Functor0Mem<void,
 Toltecs::ScriptInterpreter>::operator()() const func.h:397
     #4 0x0001008219a0 in
 Toltecs::ScriptInterpreter::execScriptFunction(unsigned short)
 script.cpp:510
     #5 0x00010081a864 in Toltecs::ScriptInterpreter::execOpcode(unsigned
 char) script.cpp:273
     #6 0x00010081a3c4 in Toltecs::ScriptInterpreter::runScript()
 script.cpp:242
     #7 0x0001007b14c8 in Toltecs::ToltecsEngine::run() toltecs.cpp:221
     #8 0x000100363a7c in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:311
     #9 0x00010035802c in scummvm_main main.cpp:796
     #10 0x0001003402ec in main macosx-main.cpp:44
     #11 0x000198b8eb48  (<unknown module>)

 SUMMARY: AddressSanitizer: heap-buffer-overflow screen.cpp:524 in
 Toltecs::Screen::drawGuiTextMulti(unsigned char*)
 Shadow bytes around the buggy address:
   0x62a000071c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62a000071d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62a000071d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62a000071e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62a000071e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x62a000071f00: 00 00 00 00 00 00 00 00 00 00 00 07[fa]fa fa fa
   0x62a000071f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62a000072000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62a000072080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62a000072100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62a000072180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==20723==ABORTING
 Abort trap: 6
 }}}
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/15887>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list