Opened 6 years ago

Closed 6 years ago

#10350 closed defect (fixed)

GOB: URBAN: Return to launcher causes crash

Reported by: dafioram Owned by: csnover
Priority: blocker Component: Engine: Gob
Version: Keywords: has-pull-request
Cc: Game: Urban Runner

Description

ScummVM: 2.1.0git-31-gc78fa86860
Game: Urban Runner DOS/English
OS: Ubuntu 17.04

  1. Start game.
  2. open gmm and try to return to gui
#0  0x00007ffff481a77f in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007ffff481c37a in __GI_abort () at abort.c:89
#2  0x00007ffff485e090 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4974000 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff4867c3a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff4974158 "free(): invalid next size (normal)", action=3)
    at malloc.c:5048
#4  0x00007ffff4867c3a in _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3904
#5  0x00007ffff486bd2c in __GI___libc_free (mem=<optimized out>)
    at malloc.c:2984
#6  0x00005555557bb0ab in Graphics::CursorManager::Cursor::~Cursor() (this=0x55555649ef70, __in_chrg=<optimized out>) at graphics/cursorman.cpp:262
#7  0x00005555557ba630 in Graphics::CursorManager::popCursor() (this=0x5555564b1c60) at graphics/cursorman.cpp:76
#8  0x000055555577272b in Engine::~Engine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/engine.cpp:190
#9  0x00005555555dca59 in Gob::GobEngine::~GobEngine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/gob/gob.cpp:155
#10 0x00005555555dca74 in Gob::GobEngine::~GobEngine() (this=0x5555566a0180, __in_chrg=<optimized out>) at engines/gob/gob.cpp:159
#11 0x00005555555c3d7e in runGame(EnginePlugin const*, OSystem&, Common::String const&) (plugin=0x555555d94fa0, system=..., edebuglevels=...)
    at base/main.cpp:272
#12 0x00005555555c4f3a in scummvm_main(int, char const* const*) (argc=1, argv=0x7fffffffe058) at base/main.cpp:529
#13 0x00005555555c1e18 in main(int, char**) (argc=1, argv=0x7fffffffe058)
    at backends/platform/sdl/posix/posix-main.cpp:45

Change History (3)

comment:1 by csnover, 6 years ago

Owner: set to csnover
Priority: normalblocker

Simply opening the launcher results in a buffer overflow trying to write to the cursor memory due to some confusion about the format of the cursor (this will be #10349 too), and on macOS at least the videos are also R-B swapped which is no good. The cursor stuff will end up being my fault. The game is apparently sending colour-keyed 32bpp cursors, which is weird to me since that should have just been rendered broken in the past. The R-B swap is probably my fault too, though that one is a little mysterious to me. I’ll take care of this first thing tomorrow unless someone swoops in and saves me from myself again.

comment:2 by csnover, 6 years ago

Keywords: has-pull-request added

comment:3 by csnover, 6 years ago

Resolution: fixed
Status: newclosed

Thanks for your report! A patch for this issue has been added in commit 20b2c1b7e156f0586799f7df9d6e93c757dabeac and will be available in daily builds 2.1.0git-34 and later. This patch was also backported to 2.0 in commit 58cbd45ef5b6776b761fc3d51f531a8d12946c24.

Note: See TracTickets for help on using tickets.