Ticket #13935: ft-asan-drawCharV7-credits.txt

-> while the ending credits scroll

WRITE of size 1 at 0x63100051473f thread T0
    #0 0x1002d101a in Scumm::CharsetRendererV7::drawCharV7(unsigned char*, Common::Rect&, int, int, int, short, Scumm::TextStyleFlags, unsigned char) charset.cpp:2024
    #1 0x1002d15a2 in non-virtual thunk to Scumm::CharsetRendererV7::drawCharV7(unsigned char*, Common::Rect&, int, int, int, short, Scumm::TextStyleFlags, unsigned char) charset.cpp
    #2 0x100f7717a in Scumm::TextRenderer_v7::drawSubstring(char const*, unsigned int, unsigned char*, Common::Rect&, int, int, int, short&, Scumm::TextStyleFlags) string_v7.cpp:173
    #3 0x100f78440 in Scumm::TextRenderer_v7::drawString(char const*, unsigned char*, Common::Rect&, int, int, int, short, Scumm::TextStyleFlags) string_v7.cpp:223
    #4 0x100f844ee in Scumm::ScummEngine_v7::drawBlastTexts() string_v7.cpp:486
    #5 0x1004e2dc1 in Scumm::ScummEngine_v6::drawDirtyScreenParts() gfx.cpp:552
    #6 0x100e09820 in Scumm::ScummEngine::scummLoop(int) scumm.cpp:2587
    #7 0x100dff3a2 in Scumm::ScummEngine::go() scumm.cpp:2289
    #8 0x100e2a63f in Scumm::ScummEngine::run() scumm.h:510
    #9 0x10008807d in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
    #10 0x10007c463 in scummvm_main main.cpp:619
    #11 0x10006bffa in main macosx-main.cpp:44
    #12 0x1042dd52d in start+0x1cd (dyld:x86_64+0x552d)

0x63100051473f is located 193 bytes to the left of 68226-byte region [0x631000514800,0x631000525282)
allocated by thread T0 here:
    #0 0x104d7731d in wrap__Znam+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c31d)
    #1 0x100a6de0d in Scumm::ResourceManager::createResource(Scumm::ResType, unsigned short, unsigned int) resource.cpp:860
    #2 0x1004d67e9 in Scumm::ScummEngine::initVirtScreen(Scumm::VirtScreenNumber, int, int, int, bool, bool) gfx.cpp:443
    #3 0x1004ed616 in Scumm::ScummEngine::initBGBuffers(int) gfx.cpp:1015
    #4 0x100ae527b in Scumm::ScummEngine::loadState(int, bool, Common::String&) saveload.cpp:894
    #5 0x100ad8ef8 in Scumm::ScummEngine::loadState(int, bool) saveload.cpp:632
    #6 0x100dfdc2b in Scumm::ScummEngine::go() scumm.cpp:2226
    #7 0x100e2a63f in Scumm::ScummEngine::run() scumm.h:510
    #8 0x10008807d in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:318
    #9 0x10007c463 in scummvm_main main.cpp:619
    #10 0x10006bffa in main macosx-main.cpp:44
    #11 0x1042dd52d in start+0x1cd (dyld:x86_64+0x552d)

SUMMARY: AddressSanitizer: heap-buffer-overflow charset.cpp:2024 in Scumm::CharsetRendererV7::drawCharV7(unsigned char*, Common::Rect&, int, int, int, short, Scumm::TextStyleFlags, unsigned char)
Shadow bytes around the buggy address:
  0x1c62000a2890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c62000a28a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c62000a28b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c62000a28c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c62000a28d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c62000a28e0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x1c62000a28f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c62000a2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000a2910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000a2920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000a2930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6197==ABORTING

frame #5: 0x00000001002d101b scummvm`Scumm::CharsetRendererV7::drawCharV7(this=0x000060e000083ec0, buffer="##############################################################################################################", clipRect=0x000063200001330e, x=134, y=0, pitch=320, col=146, flags=kStyleAlignCenter, chr='\x8a') at charset.cpp:2024:10
   2021                 for (int dx = x; dx < x + _origWidth; ++dx) {
   2022                         byte color = (bits >> (8 - bpp)) & 0xFF;
   2023                         if (color && dx >= 0 && dx < x + width && y >= 0)
-> 2024                                 *dst = cmap[color];
   2025                         dst++;
   2026                         bits <<= bpp;
   2027                         numbits -= bpp;

(lldb) p dx
(int) $1 = 135

(lldb) p x
(int) $2 = 134

(lldb) p _origWidth
(int) $3 = 8

(lldb) p/d color
(byte) $5 = 2

(lldb) p width
(int) $6 = 8

(lldb) p/d bpp
(uint8) $8 = 2

(lldb) x/16b cmap
0x63200000f468: 0x00 0x92 0x00 0x03 0x04 0x05 0x06 0x07
0x63200000f470: 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f

(lldb) p/d numbits
(byte) $17 = 6