[Scummvm-tracker] [ScummVM :: Bugs] #16268: NGI: FULLPIPE: heap-use-after-free in isPixelHitAtPos()
ScummVM :: Bugs
trac at scummvm.org
Sat Oct 4 19:28:59 UTC 2025
#16268: NGI: FULLPIPE: heap-use-after-free in isPixelHitAtPos()
----------------------+-------------------------
Reporter: dwatteau | Owner: (none)
Type: defect | Status: new
Priority: normal | Component: Engine: NGI
Version: | Keywords:
Game: Full Pipe |
----------------------+-------------------------
Current Git HEAD, with the German demo that's hosted on our demo page.
Steps to reproduce:
1. Build with `--enable-debug --enable-optimizations --enable-asan`
2. Start a new game (Demo/Windows/German version)
3. Repeatedly hit the Esc key in all screens when the game starts, until
the internal game menu opens
You may need to restart step 3 many times, and/or use your cursor a bit,
and/or have some precise timing to hit the crash. But it does happen from
time to time, during a normal gameplay.
I then hit this kind of crash:
{{{
User picked target 'fullpipe-demo-de' (engine ID 'ngi', game ID
'fullpipe')...
Running Full Pipe (Demo/Windows/German)
4620.sc2: e5e98df537e56b39c33ae1d5c90976fe, 510 bytes.
=================================================================
==12735==ERROR: AddressSanitizer: heap-use-after-free on address
0x50c0003341d8 at pc 0xb6a2fc9170d0 bp 0xfffffda092f0 sp 0xfffffda092e0
READ of size 8 at 0x50c0003341d8 thread T0
#0 0xb6a2fc9170cc in NGI::PictureObject::isPixelHitAtPos(int, int)
(/scummvm/scummvm+0x3370cc)
#1 0xb6a2fc954c0c in NGI::ModalMainMenu::checkHover(Common::Point&)
(/scummvm/scummvm+0x374c0c)
#2 0xb6a2fc958bbc in NGI::ModalMainMenu::init(int)
(/scummvm/scummvm+0x378bbc)
#3 0xb6a2fc816e84 in NGI::NGIEngine::updateScreen()
(/scummvm/scummvm+0x236e84)
#4 0xb6a2fc819480 in NGI::NGIEngine::run() (/scummvm/scummvm+0x239480)
#5 0xb6a2fc7cbe60 in runGame(Plugin const*, OSystem&, DetectedGame
const&, void const*)
0x50c0003341d8 is located 88 bytes inside of 120-byte region
[0x50c000334180,0x50c0003341f8)
freed by thread T0 here:
#0 0xed00bd2b8ec4 in operator delete(void*)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:152
#1 0xb6a2fc914a48 in NGI::Background::~Background()
(/scummvm/scummvm+0x334a48)
#2 0xb6a2fc81a978 in NGI::Scene::~Scene() (/scummvm/scummvm+0x23a978)
#3 0xb6a2fc81ab30 in NGI::Scene::~Scene() (/scummvm/scummvm+0x23ab30)
#4 0xb6a2fc90bb3c in NGI::GameLoader::unloadScene(int)
(/scummvm/scummvm+0x32bb3c)
#5 0xb6a2fc9589e8 in NGI::ModalMainMenu::init(int)
(/scummvm/scummvm+0x3789e8)
#6 0xb6a2fc816e84 in NGI::NGIEngine::updateScreen()
(/scummvm/scummvm+0x236e84)
#7 0xb6a2fc819480 in NGI::NGIEngine::run() (/scummvm/scummvm+0x239480)
[...]
}}}
Full ASan log attached below.
--
Ticket URL: <https://bugs.scummvm.org/ticket/16268>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM
More information about the Scummvm-tracker
mailing list