Opened 9 months ago

Last modified 9 months ago

#12856 closed defect

SUPERNOVA: Buffer overflow when speaking to NPC in Palae of Culture — at Initial Version

Reported by: criezy Owned by:
Priority: normal Component: Engine: Supernova
Version: Keywords:
Cc: Game: Mission Supernova Teil 2: Der Doppelgänger


Here is the information provided by Address Sanitizer:

==33230==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010caab00c at pc 0x000106112584 bp 0x00016fa6a390 sp 0x00016fa6a388
READ of size 4 at 0x00010caab00c thread T0
    #0 0x106112580 in Supernova::GameManager::dialog(int, unsigned char*, int*, int) game-manager.cpp:642
    #1 0x1060b5410 in Supernova::CulturePalace::interact(Supernova::Action, Supernova::Object&, Supernova::Object&)+0x328 (scummvm:arm64+0x105d25410)
    #2 0x106141c38 in Supernova::GameManager2::handleInput()+0x5c0 (scummvm:arm64+0x105db1c38)
    #3 0x106143634 in Supernova::GameManager2::executeRoom()+0x448 (scummvm:arm64+0x105db3634)
    #4 0x10614df98 in Supernova::SupernovaEngine::run() supernova.cpp:118
    #5 0x10040e990 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:311
    #6 0x100409a54 in scummvm_main main.cpp:618
    #7 0x1004010d0 in main macosx-main.cpp:45
    #8 0x18b09d42c in start+0x0 (libdyld.dylib:arm64e+0x1842c)

0x00010caab00c is located 52 bytes to the left of global variable 'dials1' defined in 'engines/supernova/supernova2/rooms.cpp:844:14' (0x10caab040) of size 3
0x00010caab00c is located 0 bytes to the right of global variable 'dial1' defined in 'engines/supernova/supernova2/rooms.cpp:839:13' (0x10caab000) of size 12

This is on a Mac M1 with current master (18ee050adf).

Change History (1)

by criezy, 9 months ago

Attachment: ms2_save.010 added
Note: See TracTickets for help on using tickets.