Opened 7 years ago

Closed 7 years ago

#9727 closed defect (fixed)

SCI: KQ4: Crash during intro

Reported by: Kurufinwe21 Owned by: csnover
Priority: normal Component: Engine: SCI
Version: Keywords:
Cc: Game: King's Quest 4

Description

KQ4 crashes during the intro, after the credits (before going to the Castle Daventry throne room).

The error message is:
Access violation seeking sound.104: 4749 + 1 > 4749 (abs: 4782 + 1 > 4782)!

It happens regardless of the music device selected (AdLib or MT-32).

ScummVM version: 1.10.0git3031-g910e6816ea (win32 daily build from the ScummVM website) running on Windows 10 (64 bit).

N.B.: The bug does not occur with the latest release (1.9.0.2).

Game version: KQ4 SCI DOS English (from the RW Anthology).

Change History (2)

comment:1 by csnover, 7 years ago

This is the relevant part of the call stack for this crash:

#4	0x0000000100490609 in Sci::MidiParser_SCI::midiFilterChannels(int) at scummvm/engines/sci/sound/midiparser_sci.cpp:249
#5	0x000000010048ffef in Sci::MidiParser_SCI::loadMusic(Sci::SoundResource::Track*, Sci::MusicEntry*, int, Sci::SciVersion) at scummvm/engines/sci/sound/midiparser_sci.cpp:110
#6	0x00000001004a3dcd in Sci::SciMusic::soundInitSnd(Sci::MusicEntry*) at scummvm/engines/sci/sound/music.cpp:414
#7	0x00000001004b6344 in Sci::SoundCommandParser::initSoundResource(Sci::MusicEntry*) at scummvm/engines/sci/sound/soundcmd.cpp:117
#8	0x00000001004b40c8 in Sci::SoundCommandParser::processInitSound(Sci::reg_t) at scummvm/engines/sci/sound/soundcmd.cpp:144
#9	0x00000001004cc692 in Sci::SoundCommandParser::startNewSound(int) at scummvm/engines/sci/sound/soundcmd.cpp:873

The affected sound resource contains two MIDI Stop (0xFC) system commands, instead of just one (normally they only have one). When there is more data after the Stop command, as in sound 104, the filter loop continues to run. This causes an unconditional read of 2 bytes, where curDelta becomes 0xFC (the second Stop command), and trying to read curByte now raises an access violation as it is an out-of-bounds read.

I think the correct solution is to just break out of the filter loop when an 0xFC command is seen, but I want to double-check with someone else with more MIDI knowledge before doing that (since I don’t know for sure that such commands cannot validly show up in the middle of a sound resource).

comment:2 by csnover, 7 years ago

Owner: set to csnover
Resolution: fixed
Status: newclosed

Fixed in 4946f149b40ca421e7da6cad64ffbbf1b37744e3. Thanks for the report!

Note: See TracTickets for help on using tickets.