#10323 closed defect (fixed)
FULLPIPE: Main menu, use after free
| Reported by: | bgK | Owned by: | sev- |
|---|---|---|---|
| Priority: | normal | Component: | Engine: NGI |
| Version: | Keywords: | has-backtrace | |
| Cc: | Game: | Full Pipe |
Description
ScummVM: 64c88d4c4fd069dae321cc576259ef88a7cb2b78
Game: German full version
Sometimes the game does an use after free while on the main menu. It's unclear to me what action causes it to misbehave.
==7640==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100042035c at pc 0x55b69f5a749b bp 0x7ffd54628300 sp 0x7ffd546282f0
READ of size 4 at 0x61100042035c thread T0
#0 0x55b69f5a749a in Common::Array<int>::size() const ../common/array.h:214
#1 0x55b69f5ffc52 in Fullpipe::Bitmap::putDibCB(unsigned char*, Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:892
#2 0x55b69f5fef53 in Fullpipe::Bitmap::decode(unsigned char*, Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:745
#3 0x55b69f5fc26d in Fullpipe::Picture::getDibInfo() ../engines/fullpipe/gfx.cpp:524
#4 0x55b69f5fbdea in Fullpipe::Picture::init() ../engines/fullpipe/gfx.cpp:492
#5 0x55b69f5fd7af in Fullpipe::Picture::isPixelHitAtPos(int, int) ../engines/fullpipe/gfx.cpp:653
#6 0x55b69f5f8072 in Fullpipe::PictureObject::isPixelHitAtPos(int, int) ../engines/fullpipe/gfx.cpp:200
#7 0x55b69f651e27 in Fullpipe::ModalMainMenu::checkHover(Common::Point&) ../engines/fullpipe/modal.cpp:1636
#8 0x55b69f6508f0 in Fullpipe::ModalMainMenu::init(int) ../engines/fullpipe/modal.cpp:1491
#9 0x55b69f5e17c2 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:484
#10 0x55b69f5df200 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#11 0x55b69f5b0597 in runGame ../base/main.cpp:263
#12 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
#13 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#14 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
#15 0x55b69f5a11f9 in _start (/home/bastien/dev/scummvm/build/scummvm+0x1061f9)
0x61100042035c is located 92 bytes inside of 256-byte region [0x611000420300,0x611000420400)
freed by thread T0 here:
#0 0x7f62ee7243c9 in operator delete(void*) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:124
#1 0x55b69f698c81 in Fullpipe::Scene::~Scene() ../engines/fullpipe/scene.cpp:129
#2 0x55b69f5eb7e2 in Fullpipe::GameLoader::unloadScene(int) ../engines/fullpipe/gameloader.cpp:421
#3 0x55b69f64ff78 in Fullpipe::ModalMainMenu::init(int) ../engines/fullpipe/modal.cpp:1433
#4 0x55b69f5e17c2 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:484
#5 0x55b69f5df200 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#6 0x55b69f5b0597 in runGame ../base/main.cpp:263
#7 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
#8 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#9 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
previously allocated by thread T0 here:
#0 0x7f62ee723489 in operator new(unsigned long) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:80
#1 0x55b69f6985e6 in Fullpipe::SceneTag::loadScene() ../engines/fullpipe/scene.cpp:101
#2 0x55b69f697a16 in Fullpipe::FullpipeEngine::accessScene(int) ../engines/fullpipe/scene.cpp:52
#3 0x55b69f64d072 in Fullpipe::ModalMainMenu::ModalMainMenu() ../engines/fullpipe/modal.cpp:1240
#4 0x55b69f65c7b7 in Fullpipe::FullpipeEngine::openMainMenu() ../engines/fullpipe/modal.cpp:2489
#5 0x55b69f62c7ef in Fullpipe::global_messageHandler1(Fullpipe::ExCommand*) ../engines/fullpipe/messagehandlers.cpp:164
#6 0x55b69f636000 in Fullpipe::ExCommand::handleMessage() ../engines/fullpipe/messages.cpp:93
#7 0x55b69f63d300 in Fullpipe::processMessages() ../engines/fullpipe/messages.cpp:875
#8 0x55b69f5ecfd2 in Fullpipe::GameLoader::updateSystems(int) ../engines/fullpipe/gameloader.cpp:568
#9 0x55b69f5e1697 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:482
#10 0x55b69f5df200 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#11 0x55b69f5b0597 in runGame ../base/main.cpp:263
#12 0x55b69f5b2d17 in scummvm_main ../base/main.cpp:529
#13 0x55b69f5abf7e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#14 0x7f62eb8faf69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
Change History (2)
comment:1 by , 6 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
comment:2 by , 3 years ago
| Component: | Engine: Fullpipe → Engine: NGI |
|---|
Note:
See TracTickets
for help on using tickets.
Fixed in a5ab1cd293e417.