Opened 4 years ago
Closed 4 years ago
#12465 closed defect (fixed)
AGS: Crash when exiting Mage's Initiation
| Reported by: | criezy | Owned by: | dreammaster |
|---|---|---|---|
| Priority: | normal | Component: | Engine: AGS |
| Version: | Keywords: | ||
| Cc: | Game: |
Description
When we start Mage's Initiation and select the Quit option from the game menu, ScummVM crashes with a buffer overflow in
#0 in AGS3::ExecutingScript::init() executingscript.cpp:83 #1 in AGS3::PrepareTextScript(AGS3::ccInstance*, char const**) script.cpp:314 #2 in AGS3::RunScriptFunctionIfExists(AGS3::ccInstance*, char const*, int, AGS3::RuntimeScriptValue const*) script.cpp:349 #3 in AGS3::run_claimable_event(char const*, bool, int, AGS3::RuntimeScriptValue const*, bool*) event.cpp:72 #4 in AGS3::RunTextScript2IParam(AGS3::ccInstance*, char const*, AGS3::RuntimeScriptValue const&, AGS3::RuntimeScriptValue const&) script.cpp:435 #5 in AGS3::RunScriptFunction(AGS3::ScriptInstType, char const*, unsigned long, AGS3::RuntimeScriptValue const&, AGS3::RuntimeScriptValue const&) script.cpp:265 #6 in AGS3::QueueScriptFunction(AGS3::ScriptInstType, char const*, unsigned long, AGS3::RuntimeScriptValue const&, AGS3::RuntimeScriptValue const&) script.cpp:258 #7 in AGS3::run_on_event(int, AGS3::RuntimeScriptValue&) event.cpp:87 #8 in AGS3::gui_on_mouse_down(int, int) gui.cpp:659 #9 in AGS3::check_mouse_controls() game_run.cpp:227 #10 in AGS3::check_controls() game_run.cpp:507 #11 in AGS3::game_loop_check_controls(bool) game_run.cpp:554 #12 in AGS3::UpdateGameOnce(bool, AGS3::AGS::Engine::IDriverDependantBitmap*, int, int) game_run.cpp:727 #13 in AGS3::GameTick() game_run.cpp:865 #14 in AGS3::RunGameUntilAborted() game_run.cpp:956
The issue is that in PrepareTextScript it start using more script than allocated in the Globals::_scripts array
_G(scripts)[_G(num_scripts)].init(); _G(scripts)[_G(num_scripts)].inst = sci; ... _G(num_scripts)++;
In the original it never use more than one script at a time on this title screen. In ScummVM that is also the case until we click on Quit, and then it starts using more and more scripts until it crashes.
Change History (2)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Thanks for doing the analysis, and pointing out the possible duplicate. It turned out to be that the original has the "quit" method halt the program by calling SDL_Quit, whereas for ScummVM I have to have a bunch of "if (_G(abort_engine)) return -1" in various places to allow a graceful break out of the game loop (since we don't allow exceptions in engines yet). Turns out I needed to add a few more.
This might have the same cause as #12461.