[Scummvm-tracker] [ScummVM :: Bugs] #16601: Broken Sword 2: Crash during opening cutscene on Android

ScummVM :: Bugs trac at scummvm.org
Wed Mar 18 09:41:19 UTC 2026 

#16601: Broken Sword 2: Crash during opening cutscene on Android
--------------------+-----------------------------
Reporter:  Staacks  |       Owner:  (none)
    Type:  defect   |      Status:  new
Priority:  blocker  |   Component:  Video
 Version:           |  Resolution:
Keywords:           |        Game:  Broken Sword 2
--------------------+-----------------------------
Changes (by dwatteau):

 * component:  Port: Android => Video

Comment:

 @devs: I can reproduce the crash with AddressSanitizer on macOS arm64
 (current Git HEAD):

 {{{
 User picked target 'sword2-win' (engine ID 'sword2', game ID 'sword2')...
 Running Broken Sword II: The Smoking Mirror (GOG/Windows/English)
 docks.clu: b39246fbb5b955a29f9a207c69bfc318, 20262263 bytes.
 eye.dxa: 7aef7fcb4faae760e82e0c7d3b336ac9, 7052599 bytes.
 general.clu: 31db8564f9187538f24d9fda0677f666, 7059728 bytes.
 speech1.clu: a403904a0e825356107d228f8f74092e, 176260048 bytes.
 text.clu: 9b344d976ca8d19a1cf5aa4413397f6b, 304968 bytes.
 =================================================================
 ==49626==ERROR: AddressSanitizer: heap-buffer-overflow on address
 0x00011c5bb20b at pc 0x000102f631fc bp 0x00016eeab250 sp 0x00016eeaaa00
 READ of size 2 at 0x00011c5bb20b thread T0
     #0 0x000102f631f8 in __asan_memcpy+0x400
 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3b1f8)
     #1 0x00010145de38 in Video::DXADecoder::DXAVideoTrack::decode13(int)
 dxa_decoder.cpp:405
     #2 0x00010145f104 in
 Video::DXADecoder::DXAVideoTrack::decodeNextFrame() dxa_decoder.cpp:501
     #3 0x000101481b4c in Video::VideoDecoder::decodeNextFrame()
 video_decoder.cpp:222
     #4 0x000100fcf0e8 in Sword2::MoviePlayer::playVideo()
 animation.cpp:338
     #5 0x000100fce954 in Sword2::MoviePlayer::play(Sword2::MovieText*,
 unsigned int, unsigned int, unsigned int) animation.cpp:139
     #6 0x00010100b1bc in Sword2::Logic::fnPlaySequence(int*)
 function.cpp:2151
     #7 0x00010101d500 in Sword2::Logic::runScript2(unsigned char*,
 unsigned char*, unsigned char*) interpreter.cpp:633
     #8 0x00010101a224 in Sword2::Logic::runScript(unsigned char*, unsigned
 char*, unsigned int) interpreter.cpp:233
     #9 0x00010101a3fc in Sword2::Logic::runResObjScript(unsigned int,
 unsigned int, unsigned int) interpreter.cpp:222
     #10 0x0001010ad348 in Sword2::Sword2Engine::startGame() sword2.cpp:552
     #11 0x0001010ac8cc in Sword2::Sword2Engine::run() sword2.cpp:263
     #12 0x000100f7f1c0 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:317
     #13 0x000100f792d8 in scummvm_main main.cpp:811
     #14 0x000100f69ef0 in main macosx-main.cpp:44
     #15 0x000187de6b94  (<unknown module>)

 0x00011c5bb20b is located 523 bytes after 256000-byte region
 [0x00011c57c800,0x00011c5bb000)
 allocated by thread T0 here:
     #0 0x000102f73548 in _Znam+0x74
 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4b548)
     #1 0x00010145ad84 in
 Video::DXADecoder::DXAVideoTrack::DXAVideoTrack(Common::SeekableReadStream*)
 dxa_decoder.cpp:116
     #2 0x000101459848 in
 Video::DXADecoder::DXAVideoTrack::DXAVideoTrack(Common::SeekableReadStream*)
 dxa_decoder.cpp:76
     #3 0x00010145975c in
 Video::DXADecoder::loadStream(Common::SeekableReadStream*)
 dxa_decoder.cpp:55
     #4 0x00010147e814 in Video::VideoDecoder::loadFile(Common::Path
 const&) video_decoder.cpp:87
     #5 0x000100fcdbc0 in Sword2::MoviePlayer::load(char const*)
 animation.cpp:99
     #6 0x00010100b054 in Sword2::Logic::fnPlaySequence(int*)
 function.cpp:2149
     #7 0x00010101d500 in Sword2::Logic::runScript2(unsigned char*,
 unsigned char*, unsigned char*) interpreter.cpp:633
     #8 0x00010101a224 in Sword2::Logic::runScript(unsigned char*, unsigned
 char*, unsigned int) interpreter.cpp:233
     #9 0x00010101a3fc in Sword2::Logic::runResObjScript(unsigned int,
 unsigned int, unsigned int) interpreter.cpp:222
     #10 0x0001010ad348 in Sword2::Sword2Engine::startGame() sword2.cpp:552
     #11 0x0001010ac8cc in Sword2::Sword2Engine::run() sword2.cpp:263
     #12 0x000100f7f1c0 in runGame(Plugin const*, OSystem&, DetectedGame
 const&, void const*) main.cpp:317
     #13 0x000100f792d8 in scummvm_main main.cpp:811
     #14 0x000100f69ef0 in main macosx-main.cpp:44
     #15 0x000187de6b94  (<unknown module>)

 SUMMARY: AddressSanitizer: heap-buffer-overflow dxa_decoder.cpp:405 in
 Video::DXADecoder::DXAVideoTrack::decode13(int)
 }}}

 i.e.:

 {{{
 (lldb) frame select 5
 frame #5: 0x0000000100511e3c
 scummvm`Video::DXADecoder::DXAVideoTrack::decode13(this=0x000060d0001dc990,
 size=36241) at dxa_decoder.cpp:405:8
    402
    403                                                  uint8 *b1 = (uint8
 *)_frameBuffer2 + (sx+mx) + (sy+my) * _width;
    404                                                  for (int yc = 0;
 yc < BLOCKH / 2; yc++) {
 -> 405                                                          memcpy(b2,
 b1, BLOCKW / 2);
    406                                                          b1 +=
 _width;
    407                                                          b2 +=
 _width;
    408                                                  }
 }}}

 (Moving to `Video` component, as it's been reproduced on a non-Android
 device.)
-- 
Ticket URL: <https://bugs.scummvm.org/ticket/16601#comment:2>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM

More information about the Scummvm-tracker mailing list