[Scummvm-tracker] [ScummVM :: Bugs] #15901: KYRA: SoundTownsPC98_v2::playTrack() heap buffer-overflow (ASan)

ScummVM :: Bugs trac at scummvm.org
Fri Apr 25 11:51:17 UTC 2025 

#15901: KYRA: SoundTownsPC98_v2::playTrack() heap buffer-overflow (ASan)
-----------------------+--------------------------
Reporter:  dwatteau    |      Owner:  (none)
    Type:  defect      |     Status:  new
Priority:  normal      |  Component:  Engine: Kyra
 Version:              |   Keywords:
    Game:  Kyrandia 2  |
-----------------------+--------------------------
 On current Git HEAD, with the FM-TOWNS Japanese Kyrandia 2 I've just
 bought.

 The Redbook tracks have been properly ripped to FLAC files.

 How to reproduce:

 * build with `--enable-asan`
 * start `kyra2-fm-ja` from scratch, wait until the Westwood Studios logo
 appears

 AddressSanitizer will then catch the following heap buffer-overflow:

 {{{
 User picked target 'kyra2-fm-ja' (engine ID 'kyra', game ID 'kyra2')...
 Running The Legend of Kyrandia: The Hand of Fate (FM-TOWNS/Japanese)
 WSCORE.PAK: c44de1302b67f27d4707409987b7a685, 90990 bytes.
 =================================================================
 ==59567==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x60300024f778 at pc 0x000100cd7a19 bp 0x7ff7bfef8c50 sp 0x7ff7bfef8c48
 READ of size 2 at 0x60300024f778 thread T0
     #0 0x100cd7a18 in Kyra::SoundTownsPC98_v2::playTrack(unsigned char)
 sound_pc98_v2.cpp:126
     #1 0x100c88445 in
 Kyra::SeqPlayer_HOF::cbHOF_westwood(Kyra::WSAMovie_v2*, int, int, int)
 sequences_hof.cpp:1807
     #2 0x100ca52fa in
 Kyra::SeqPlayer_HOF::playAnimation(Kyra::WSAMovie_v2*, int, int, int, int,
 int, int (Kyra::SeqPlayer_HOF::*)(Kyra::WSAMovie_v2*, int, int, int),
 Kyra::Palette*, Kyra::Palette*, int, bool) sequences_hof.cpp:1022
     #3 0x100ca1292 in Kyra::SeqPlayer_HOF::playScenes()
 sequences_hof.cpp:727
     #4 0x100c87336 in Kyra::SeqPlayer_HOF::runLoop() sequences_hof.cpp:635
     #5 0x100c869f2 in Kyra::SeqPlayer_HOF::play(Kyra::SequenceID,
 Kyra::SequenceID) sequences_hof.cpp:559
     #6 0x100cb6765 in Kyra::KyraEngine_HoF::seq_playIntro()
 sequences_hof.cpp:3507
     #7 0x100938daf in Kyra::KyraEngine_HoF::go() kyra_hof.cpp:248
     #8 0x1009153b5 in Kyra::KyraEngine_v1::run() kyra_v1.h:205
     #9 0x10004dfcd in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:311
     #10 0x100047b0a in scummvm_main main.cpp:796
     #11 0x100035042 in main macosx-main.cpp:44
     #12 0x7ff80a27d417 in start+0x767 (dyld:x86_64+0xfffffffffff6e417)

 0x60300024f778 is located 0 bytes after 24-byte region
 [0x60300024f760,0x60300024f778)
 allocated by thread T0 here:
     #0 0x10344d71d in wrap__Znam+0x7d
 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xec71d)
     #1 0x100b2d03c in
 Kyra::StaticResource::loadRawData(Common::SeekableReadStream&, void*&,
 int&) staticres.cpp:472
     #2 0x100b294c7 in Kyra::StaticResource::prefetchId(int)
 staticres.cpp:375
     #3 0x100b28c48 in Kyra::StaticResource::prefetchId(int)
 staticres.cpp:348
     #4 0x100b27438 in Kyra::StaticResource::loadStaticResourceFile()
 staticres.cpp:160
     #5 0x100b2ae07 in Kyra::StaticResource::init() staticres.cpp:270
     #6 0x100909882 in Kyra::KyraEngine_v1::init() kyra_v1.cpp:170
     #7 0x1009374ff in Kyra::KyraEngine_HoF::init() kyra_hof.cpp:192
     #8 0x1009152f3 in Kyra::KyraEngine_v1::run() kyra_v1.h:202
     #9 0x10004dfcd in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:311
     #10 0x100047b0a in scummvm_main main.cpp:796
     #11 0x100035042 in main macosx-main.cpp:44
     #12 0x7ff80a27d417 in start+0x767 (dyld:x86_64+0xfffffffffff6e417)

 SUMMARY: AddressSanitizer: heap-buffer-overflow sound_pc98_v2.cpp:126 in
 Kyra::SoundTownsPC98_v2::playTrack(unsigned char)
 Shadow bytes around the buggy address:
   0x60300024f480: fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa 00 00
   0x60300024f500: 05 fa fa fa 00 00 01 fa fa fa 00 00 02 fa fa fa
   0x60300024f580: 00 00 04 fa fa fa 00 00 00 fa fa fa 00 00 04 fa
   0x60300024f600: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
   0x60300024f680: 04 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
 =>0x60300024f700: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00[fa]
   0x60300024f780: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
   0x60300024f800: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
   0x60300024f880: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
   0x60300024f900: fa fa 00 00 01 fa fa fa fd fd fd fd fa fa 00 00
   0x60300024f980: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==59567==ABORTING
 }}}
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/15901>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list