#10330 closed defect (fixed)
FULLPIPE: Credits, use after free
| Reported by: | bgK | Owned by: | sev- |
|---|---|---|---|
| Priority: | blocker | Component: | Engine: NGI |
| Version: | Keywords: | has-backtrace | |
| Cc: | Game: | Full Pipe |
Description
ScummVM: Linux / 883fd87e8f665c5621f88d7ca8e0c27cbc274ed8
Game: Fullpipe German full version
Fullpipe does an use after free just before the credits when completing the game.
==16300==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100018339c at pc 0x55c81b2f377b bp 0x7ffddeec0200 sp 0x7ffddeec01f0
READ of size 4 at 0x61100018339c thread T0
#0 0x55c81b2f377a in Common::Array<int>::size() const ../common/array.h:214
#1 0x55c81b34bf32 in Fullpipe::Bitmap::putDibCB(unsigned char*, Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:892
#2 0x55c81b34b233 in Fullpipe::Bitmap::decode(unsigned char*, Common::Array<int> const&) ../engines/fullpipe/gfx.cpp:745
#3 0x55c81b34854d in Fullpipe::Picture::getDibInfo() ../engines/fullpipe/gfx.cpp:524
#4 0x55c81b3480ca in Fullpipe::Picture::init() ../engines/fullpipe/gfx.cpp:492
#5 0x55c81b34d79e in Fullpipe::BigPicture::draw(int, int, int, int) ../engines/fullpipe/gfx.cpp:1081
#6 0x55c81b3ea9c6 in Fullpipe::Scene::drawContent(int, int, bool) ../engines/fullpipe/scene.cpp:723
#7 0x55c81b3e8726 in Fullpipe::Scene::draw() ../engines/fullpipe/scene.cpp:511
#8 0x55c81b34e7e7 in Fullpipe::FullpipeEngine::sceneFade(Fullpipe::Scene*, bool) ../engines/fullpipe/gfx.cpp:1185
#9 0x55c81b398f39 in Fullpipe::ModalCredits::update() ../engines/fullpipe/modal.cpp:1221
#10 0x55c81b32db38 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:485
#11 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#12 0x55c81b2fc877 in runGame ../base/main.cpp:263
#13 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
#14 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#15 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
#16 0x55c81b2ed399 in _start (/home/bastien/dev/scummvm/build/scummvm+0x106399)
0x61100018339c is located 92 bytes inside of 256-byte region [0x611000183340,0x611000183440)
freed by thread T0 here:
#0 0x7f575363d3c9 in operator delete(void*) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:124
#1 0x55c81b3e4f5b in Fullpipe::Scene::~Scene() ../engines/fullpipe/scene.cpp:129
#2 0x55c81b337ac2 in Fullpipe::GameLoader::unloadScene(int) ../engines/fullpipe/gameloader.cpp:421
#3 0x55c81b397b14 in Fullpipe::ModalFinal::unloadScenes() ../engines/fullpipe/modal.cpp:1100
#4 0x55c81b3979b1 in Fullpipe::ModalFinal::init(int) ../engines/fullpipe/modal.cpp:1090
#5 0x55c81b32daa2 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:484
#6 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#7 0x55c81b2fc877 in runGame ../base/main.cpp:263
#8 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
#9 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#10 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
previously allocated by thread T0 here:
#0 0x7f575363c489 in operator new(unsigned long) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:80
#1 0x55c81b3e48c0 in Fullpipe::SceneTag::loadScene() ../engines/fullpipe/scene.cpp:101
#2 0x55c81b3349fa in Fullpipe::GameLoader::loadScene(int) ../engines/fullpipe/gameloader.cpp:162
#3 0x55c81b50b82b in Fullpipe::sceneFinal_initScene() ../engines/fullpipe/scenes/sceneFinal.cpp:47
#4 0x55c81b3fbcb9 in Fullpipe::FullpipeEngine::sceneSwitcher(Fullpipe::EntranceInfo const&) ../engines/fullpipe/scenes.cpp:1100
#5 0x55c81b3353e6 in Fullpipe::GameLoader::gotoScene(int, int) ../engines/fullpipe/gameloader.cpp:210
#6 0x55c81b37a917 in Fullpipe::global_messageHandler3(Fullpipe::ExCommand*) ../engines/fullpipe/messagehandlers.cpp:379
#7 0x55c81b3822da in Fullpipe::ExCommand::handleMessage() ../engines/fullpipe/messages.cpp:93
#8 0x55c81b3895da in Fullpipe::processMessages() ../engines/fullpipe/messages.cpp:875
#9 0x55c81b3392b2 in Fullpipe::GameLoader::updateSystems(int) ../engines/fullpipe/gameloader.cpp:568
#10 0x55c81b32d977 in Fullpipe::FullpipeEngine::updateScreen() ../engines/fullpipe/fullpipe.cpp:482
#11 0x55c81b32b4e0 in Fullpipe::FullpipeEngine::run() ../engines/fullpipe/fullpipe.cpp:303
#12 0x55c81b2fc877 in runGame ../base/main.cpp:263
#13 0x55c81b2feff7 in scummvm_main ../base/main.cpp:529
#14 0x55c81b2f825e in main ../backends/platform/sdl/posix/posix-main.cpp:45
#15 0x7f5750814f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
Steps to reproduce:
- Load the attached save
- Pick up the coin
This might be a duplicate of #10323.
Attachments (1)
Change History (4)
by , 7 years ago
| Attachment: | fullpipe.s15 added |
|---|
comment:1 by , 7 years ago
This is due to g_fp->_globalPalette being a pointer into a Scene that gets deleted. (Set in Scene::drawContent)
comment:2 by , 7 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in a5ab1cd293e417.
comment:3 by , 4 years ago
| Component: | Engine: Fullpipe → Engine: NGI |
|---|
Note:
See TracTickets
for help on using tickets.
Just before the ending