Lands Of Lore - game crashes in Catwalk Caverns

[billniakas]

I've come across this bug several times because Lands Of Lore is one of my favorite games. The first time I've encountered this bug is (i think in 1.6.0 or 1.7.0). This bug wont let me go to level 2 of the Catwalk Caverns and level 2 is crucial for the game progress. The bug occurs only in Linux (all the windows versions that I've tried seem to work fine). So here we go

Distro: Arch Linux
ScummVM version: 1.9.0
Game Language : English
Game Version : CD/DOS/English
First time encounter : ScummVM version 1.6.0 or 1.7.0

PS. I Attached a save game and the only thing you need to do is to go down the stairs in order to crash the game

[billniakas]

Save file just before going down the stairs and crash the game

[wjp]

I can't reproduce this in Linux. Which graphics / audio settings are you using? Are there any messages in the terminal? Could you use gdb to get a backtrace?

[billniakas]

Replying to wjp:

I can't reproduce this in Linux. Which graphics / audio settings are you using? Are there any messages in the terminal? Could you use gdb to get a backtrace?

I use aspect correction and full screen mode

[wjp]

Ah, this is fortify complaining. I can't reproduce it at _FORTIFY_SOURCE=1 but I do see it at _FORTIFY_SOURCE=2. Backtrace with symbols below. We'll have to investigate further to see what's happening.

#4  0x00007ffff4d8b990 in __chk_fail () from /lib64/libc.so.6
#5  0x00000000004c17a1 in strcpy (__src=0x1d0723a "CAV_PLT3.PAL", 
    __dest=0x17903ee "CAV_PLT3.PAL") at /usr/include/bits/string3.h:110
#6  Kyra::LoLEngine::loadLevelGraphics (this=this@entry=0x178b860, 
    file=<optimized out>, specialColor=<optimized out>, 
    weight=<optimized out>, vcnLen=-1, vmpLen=-1, 
    palFile=0x1d0723a "CAV_PLT3.PAL") at engines/kyra/scene_lol.cpp:307
#7  0x00000000004ca7d6 in Kyra::LoLEngine::olol_loadLevelGraphics (
    this=0x178b860, script=0x7fffffffc980) at engines/kyra/script_lol.cpp:211
#8  0x000000000046ae9f in Kyra::EMCInterpreter::op_sysCall (
    this=<optimized out>, script=0x7fffffffc980) at engines/kyra/script.cpp:306
#9  0x000000000046b98d in Kyra::EMCInterpreter::run (this=<optimized out>, 
    script=script@entry=0x7fffffffc980) at engines/kyra/script.cpp:208
#10 0x00000000004d0a79 in Kyra::LoLEngine::runInitScript (
    this=this@entry=0x178b860, filename=0x7fffffffcaf0 "LEVEL25.INI", 
    optionalFunc=0) at engines/kyra/script_lol.cpp:46
#11 0x00000000004c4a66 in Kyra::LoLEngine::loadLevel (
    this=this@entry=0x178b860, index=25) at engines/kyra/scene_lol.cpp:74
#12 0x00000000004cc5ee in Kyra::LoLEngine::olol_loadNewLevel (this=0x178b860, 
    script=0x7fffffffcbd0) at engines/kyra/script_lol.cpp:903
#13 0x000000000046ae9f in Kyra::EMCInterpreter::op_sysCall (
    this=<optimized out>, script=0x7fffffffcbd0) at engines/kyra/script.cpp:306
#14 0x000000000046b98d in Kyra::EMCInterpreter::run (this=<optimized out>, 
    script=script@entry=0x7fffffffcbd0) at engines/kyra/script.cpp:208
#15 0x00000000004d0cbf in Kyra::LoLEngine::runLevelScriptCustom (
    this=0x178b860, block=325, flags=2, charNum=charNum@entry=-1, 
    item=item@entry=0, reg3=reg3@entry=0, reg4=0)
    at engines/kyra/script_lol.cpp:88
#16 0x00000000004d0cf6 in Kyra::LoLEngine::runLevelScript (
    this=<optimized out>, block=<optimized out>, flags=<optimized out>)
    at engines/kyra/script_lol.cpp:66

[billniakas]

Replying to wjp:

Ah, this is fortify complaining. I can't reproduce it at _FORTIFY_SOURCE=1 but I do see it at _FORTIFY_SOURCE=2. Backtrace with symbols below. We'll have to investigate further to see what's happening.

#4  0x00007ffff4d8b990 in __chk_fail () from /lib64/libc.so.6
#5  0x00000000004c17a1 in strcpy (__src=0x1d0723a "CAV_PLT3.PAL", 
    __dest=0x17903ee "CAV_PLT3.PAL") at /usr/include/bits/string3.h:110
#6  Kyra::LoLEngine::loadLevelGraphics (this=this@entry=0x178b860, 
    file=<optimized out>, specialColor=<optimized out>, 
    weight=<optimized out>, vcnLen=-1, vmpLen=-1, 
    palFile=0x1d0723a "CAV_PLT3.PAL") at engines/kyra/scene_lol.cpp:307
#7  0x00000000004ca7d6 in Kyra::LoLEngine::olol_loadLevelGraphics (
    this=0x178b860, script=0x7fffffffc980) at engines/kyra/script_lol.cpp:211
#8  0x000000000046ae9f in Kyra::EMCInterpreter::op_sysCall (
    this=<optimized out>, script=0x7fffffffc980) at engines/kyra/script.cpp:306
#9  0x000000000046b98d in Kyra::EMCInterpreter::run (this=<optimized out>, 
    script=script@entry=0x7fffffffc980) at engines/kyra/script.cpp:208
#10 0x00000000004d0a79 in Kyra::LoLEngine::runInitScript (
    this=this@entry=0x178b860, filename=0x7fffffffcaf0 "LEVEL25.INI", 
    optionalFunc=0) at engines/kyra/script_lol.cpp:46
#11 0x00000000004c4a66 in Kyra::LoLEngine::loadLevel (
    this=this@entry=0x178b860, index=25) at engines/kyra/scene_lol.cpp:74
#12 0x00000000004cc5ee in Kyra::LoLEngine::olol_loadNewLevel (this=0x178b860, 
    script=0x7fffffffcbd0) at engines/kyra/script_lol.cpp:903
#13 0x000000000046ae9f in Kyra::EMCInterpreter::op_sysCall (
    this=<optimized out>, script=0x7fffffffcbd0) at engines/kyra/script.cpp:306
#14 0x000000000046b98d in Kyra::EMCInterpreter::run (this=<optimized out>, 
    script=script@entry=0x7fffffffcbd0) at engines/kyra/script.cpp:208
#15 0x00000000004d0cbf in Kyra::LoLEngine::runLevelScriptCustom (
    this=0x178b860, block=325, flags=2, charNum=charNum@entry=-1, 
    item=item@entry=0, reg3=reg3@entry=0, reg4=0)
    at engines/kyra/script_lol.cpp:88
#16 0x00000000004d0cf6 in Kyra::LoLEngine::runLevelScript (
    this=<optimized out>, block=<optimized out>, flags=<optimized out>)
    at engines/kyra/script_lol.cpp:66

Which symbols should i use? All of them? Btw i compiled the latest git version and the bug is gone. The compiled version is tested in Ubuntu 16.10.

[wjp]

Thanks for the report. This was an actual buffer overflow, and I've just committed a fix to git master.

The crash you were seeing was fortify detecting the buffer overflow (and aborting on it) even if it didn't necessarily cause any problems by itself, and would depend on 32/64 bit and any internal padding for struct alignment.