[Scummvm-tracker] [ScummVM :: Bugs] #16340: BACKENDS: Using Video::Subtitles with SDL surface backend will trigger undefined behavior

ScummVM :: Bugs trac at scummvm.org
Sun Nov 9 14:04:04 UTC 2025 

#16340: BACKENDS: Using Video::Subtitles with SDL surface backend will trigger
undefined behavior
------------------------+----------------------
Reporter:  neuromancer  |      Owner:  (none)
    Type:  defect       |     Status:  new
Priority:  high         |  Component:  Graphics
 Version:               |   Keywords:  sdl
    Game:               |
------------------------+----------------------
 When using the Video::Subtitles code with SDL Surface graphics mode, the
 screen updates will get stuck. This was discovered in this issue:
 https://bugs.scummvm.org/ticket/16217

 There is an ASAN report associated which shows the affected piece of code:

 {{{
 005: If you want to play the game that follows the plot of the book
 "Little Sister", then click Original Plot.
 =================================================================
 ==15420==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x62d0005f82fc at pc 0x00010ca4b284 bp 0x00016f421b40 sp 0x00016f4212f0
 READ of size 1204 at 0x62d0005f82fc thread T0
     #0 0x00010ca4b280 in __asan_memcpy+0x3f4
 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3b280)
     #1 0x000101ca9e4c in SurfaceSdlGraphicsManager::copyRectToOverlay(void
 const*, int, int, int, int, int) surfacesdl-graphics.cpp:2116
     #2 0x0001019b83bc in ModularGraphicsBackend::copyRectToOverlay(void
 const*, int, int, int, int, int) modular-backend.cpp:245
     #3 0x000101d77d60 in Video::Subtitles::drawSubtitle(unsigned int,
 bool, bool) subtitles.cpp:448
     #4 0x0001013a3dc8 in Private::PrivateEngine::run() private.cpp:426
     #5 0x000100bdede0 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:317
     #6 0x000100bd2194 in scummvm_main main.cpp:803
     #7 0x000100bbc204 in main macosx-main.cpp:44
     #8 0x00019b35ab94 in start+0x17b8 (dyld:arm64e+0xfffffffffff3ab94)

 0x62d0005f82fc is located 0 bytes after 32508-byte region
 [0x62d0005f0400,0x62d0005f82fc)
 allocated by thread T0 here:
     #0 0x00010ca4d67c in calloc+0x80
 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d67c)
     #1 0x0001022990a4 in Graphics::Surface::create(short, short,
 Graphics::PixelFormat const&) surface.cpp:152
     #2 0x000101d743d8 in Video::Subtitles::setBBox(Common::Rect const&)
 subtitles.cpp:352
     #3 0x0001013a7b28 in Private::PrivateEngine::adjustSubtitleSize()
 private.cpp:1501
     #4 0x0001013df6d0 in
 Private::PrivateEngine::loadSubtitles(Common::Path const&)
 private.cpp:1534
     #5 0x0001013c2700 in Private::PrivateEngine::playSound(Common::String
 const&, unsigned int, bool, bool) private.cpp:1486
     #6 0x000101353ca0 in Private::fSound(Common::Array<Private::Datum>)
 funcs.cpp:536
     #7 0x000101372130 in Private::call(char const*,
 Common::Array<Private::Datum> const&) funcs.cpp:891
     #8 0x000101337ac4 in Private::Gen::funcpush() code.cpp:156
     #9 0x000101333fdc in Private::Gen::execute(int (**)()) code.cpp:422
     #10 0x0001013402b0 in Private::Gen::ifcode() code.cpp:394
     #11 0x000101333fdc in Private::Gen::execute(int (**)()) code.cpp:422
     #12 0x0001013402b0 in Private::Gen::ifcode() code.cpp:394
     #13 0x000101333fdc in Private::Gen::execute(int (**)()) code.cpp:422
     #14 0x0001013404d0 in Private::Gen::ifcode() code.cpp:397
     #15 0x000101333fdc in Private::Gen::execute(int (**)()) code.cpp:422
     #16 0x000101333c28 in Private::Gen::VM::run() code.cpp:58
     #17 0x0001013a3364 in Private::PrivateEngine::run() private.cpp:417
     #18 0x000100bdede0 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:317
     #19 0x000100bd2194 in scummvm_main main.cpp:803
     #20 0x000100bbc204 in main macosx-main.cpp:44
     #21 0x00019b35ab94 in start+0x17b8 (dyld:arm64e+0xfffffffffff3ab94)

 SUMMARY: AddressSanitizer: heap-buffer-overflow surfacesdl-
 graphics.cpp:2116 in SurfaceSdlGraphicsManager::copyRectToOverlay(void
 const*, int, int, int, int, int)
 Shadow bytes around the buggy address:
   0x62d0005f8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62d0005f8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62d0005f8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62d0005f8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x62d0005f8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x62d0005f8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
   0x62d0005f8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62d0005f8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62d0005f8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62d0005f8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x62d0005f8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 }}}

 There are some additional discussion in this PR regarding the use of
 overlay in the SDL surface: https://github.com/scummvm/scummvm/pull/7002
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/16340>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list