[Scummvm-tracker] [ScummVM :: Bugs] #15930: SCUMM: AKOS: paintCelByleRLE() invalid mem access in COMI save

ScummVM :: Bugs trac at scummvm.org
Fri May 16 22:45:17 UTC 2025 

#15930: SCUMM: AKOS: paintCelByleRLE() invalid mem access in COMI save
----------------------------+---------------------------
Reporter:  dwatteau         |      Owner:  (none)
    Type:  defect           |     Status:  new
Priority:  normal           |  Component:  Engine: SCUMM
 Version:                   |   Keywords:
    Game:  Monkey Island 3  |
----------------------------+---------------------------
 It's me again, your nightmare with terrible older saves!

 On current Git HEAD, I have this 2021 COMI save (French release, available
 on GOG/Steam I think) that does an invalid memory access after being
 loaded.

 ASan gives the following:

 {{{
 ==28361==ERROR: AddressSanitizer: global-buffer-overflow on address
 0x00010320f72d at pc 0x000100229e5f bp 0x7ff7bfef54b0 sp 0x7ff7bfef54a8
 READ of size 1 at 0x00010320f72d thread T0
     #0 0x100229e5e in Scumm::AkosRenderer::paintCelByleRLE(int, int)
 akos.cpp:782
     #1 0x1002250e2 in Scumm::AkosRenderer::drawLimb(Scumm::Actor const*,
 int) akos.cpp:469
     #2 0x10025dea2 in
 Scumm::BaseCostumeRenderer::drawCostume(Scumm::VirtScreen const&, int,
 Scumm::Actor const*, bool) base-costume.cpp:56
     #3 0x1001a2efc in Scumm::Actor::drawActorCostume(bool) actor.cpp:2535
     #4 0x1001a0b1b in Scumm::ScummEngine::processActors() actor.cpp:2442
     #5 0x1001a3c82 in Scumm::ScummEngine_v6::processActors()
 actor.cpp:2469
     #6 0x10124d026 in Scumm::ScummEngine_v6::scummLoop_handleActors()
 scumm.cpp:3818
     #7 0x101227dc3 in Scumm::ScummEngine::scummLoop(int) scumm.cpp:3015
     #8 0x10121e2ee in Scumm::ScummEngine::go() scumm.cpp:2680
     #9 0x1003c806f in Scumm::ScummEngine::run() scumm.h:572
     #10 0x1000900d7 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:313
     #11 0x1000822af in scummvm_main main.cpp:798
     #12 0x1000667ff in main macosx-main.cpp:44
     #13 0x7ff8108b8417 in start+0x767 (dyld:x86_64+0xfffffffffff6e417)

 0x00010320f72d is located 45 bytes after global variable
 'Scumm::bigCostumeScaleTable' defined in 'engines/scumm/akos.cpp'
 (0x10320f400) of size 768
 }}}

 This looks very similar to what's already handled nearby by previous
 commit
 https://github.com/scummvm/scummvm/commit/8d23d0799dcacdbc68a13094174f9c5dadb6b3ca.
 So I think it's mostly a matter of adapting it to this new case? (I could
 have done that myself, but I don't understand a thing about AKOS so I'd
 rather avoid tweaking that.)
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/15930>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list