Opened 7 years ago
Closed 7 years ago
#10350 closed defect (fixed)
GOB: URBAN: Return to launcher causes crash
| Reported by: | dafioram | Owned by: | csnover |
|---|---|---|---|
| Priority: | blocker | Component: | Engine: Gob |
| Version: | Keywords: | has-pull-request | |
| Cc: | Game: | Urban Runner |
Description
ScummVM: 2.1.0git-31-gc78fa86860
Game: Urban Runner DOS/English
OS: Ubuntu 17.04
- Start game.
- open gmm and try to return to gui
#0 0x00007ffff481a77f in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:58
#1 0x00007ffff481c37a in __GI_abort () at abort.c:89
#2 0x00007ffff485e090 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4974000 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff4867c3a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff4974158 "free(): invalid next size (normal)", action=3)
at malloc.c:5048
#4 0x00007ffff4867c3a in _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3904
#5 0x00007ffff486bd2c in __GI___libc_free (mem=<optimized out>)
at malloc.c:2984
#6 0x00005555557bb0ab in Graphics::CursorManager::Cursor::~Cursor() (this=0x55555649ef70, __in_chrg=<optimized out>) at graphics/cursorman.cpp:262
#7 0x00005555557ba630 in Graphics::CursorManager::popCursor() (this=0x5555564b1c60) at graphics/cursorman.cpp:76
#8 0x000055555577272b in Engine::~Engine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/engine.cpp:190
#9 0x00005555555dca59 in Gob::GobEngine::~GobEngine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/gob/gob.cpp:155
#10 0x00005555555dca74 in Gob::GobEngine::~GobEngine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/gob/gob.cpp:159
#11 0x00005555555c3d7e in runGame(EnginePlugin const*, OSystem&, Common::String const&) (plugin=0x555555d94fa0, system=..., edebuglevels=...)
at base/main.cpp:272
#12 0x00005555555c4f3a in scummvm_main(int, char const* const*) (argc=1, argv=0x7fffffffe058) at base/main.cpp:529
#13 0x00005555555c1e18 in main(int, char**) (argc=1, argv=0x7fffffffe058)
at backends/platform/sdl/posix/posix-main.cpp:45
Change History (3)
comment:1 by , 7 years ago
| Owner: | set to |
|---|---|
| Priority: | normal → blocker |
comment:2 by , 7 years ago
| Keywords: | has-pull-request added |
|---|
comment:3 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Thanks for your report! A patch for this issue has been added in commit 20b2c1b7e156f0586799f7df9d6e93c757dabeac and will be available in daily builds 2.1.0git-34 and later. This patch was also backported to 2.0 in commit 58cbd45ef5b6776b761fc3d51f531a8d12946c24.
Note:
See TracTickets
for help on using tickets.
Simply opening the launcher results in a buffer overflow trying to write to the cursor memory due to some confusion about the format of the cursor (this will be #10349 too), and on macOS at least the videos are also R-B swapped which is no good. The cursor stuff will end up being my fault. The game is apparently sending colour-keyed 32bpp cursors, which is weird to me since that should have just been rendered broken in the past. The R-B swap is probably my fault too, though that one is a little mysterious to me. I’ll take care of this first thing tomorrow unless someone swoops in and saves me from myself again.