Opened 7 years ago

Closed 7 years ago

#9844 closed defect (fixed)

SCI: PQ4: kIsOnMe out of bounds read

Reported by: bgK Owned by: csnover
Priority: normal Component: Engine: SCI
Version: Keywords: sci32
Cc: Game: Police Quest 4


Game: Police Quest 4 DOS / French
ScummVM: eedbb7df4e256e752c861b1828cd4b1ac55d59bc

At the beginning of the game, at Katherine's place, clicking on Katerine with the Speech icon sometimes triggers an assertion failure. I'm not sure what exactly triggers the assertion failure. Most of the time speaking with Katherine works fine. Maybe the mouse pointer position?

To reproduce, load the attached save game (which is for the French version..) or go to Katherine's place, make her upset, leave, and enter her house again. Use the speech icon on Katherine. Multiple attempts may be needed.


scummvm: ../engines/sci/graphics/celobj32.cpp:325: const byte* Sci::READER_Compressed::getRow(int16): Assertion `y >= 0 && y < _sourceHeight' failed.

Thread 1 "scummvm" received signal SIGABRT, Aborted.
0x00007ffff495b670 in raise () from /usr/lib/
(gdb) bt
#0  0x00007ffff495b670 in raise () from /usr/lib/
#1  0x00007ffff495cd00 in abort () from /usr/lib/
#2  0x00007ffff495445a in __assert_fail_base () from /usr/lib/
#3  0x00007ffff49544d2 in __assert_fail () from /usr/lib/
#4  0x00000000005a2389 in Sci::READER_Compressed::getRow (this=0x7ffffffb60f0, y=27) at ../engines/sci/graphics/celobj32.cpp:325
#5  0x000000000059f25a in Sci::CelObj::readPixel (this=0x33f6f50, x=20, y=27, mirrorX=false) at ../engines/sci/graphics/celobj32.cpp:599
#6  0x00000000005b3273 in Sci::GfxFrameout::isOnMe (this=0x340c840, screenItem=..., plane=..., position=..., checkPixel=true)
    at ../engines/sci/graphics/frameout.cpp:1232
#7  0x00000000005b304b in Sci::GfxFrameout::kernelIsOnMe (this=0x340c840, object=..., position=..., checkPixel=true)
    at ../engines/sci/graphics/frameout.cpp:1203
#8  0x000000000059a851 in Sci::kIsOnMe (s=0x33c82c0, argc=4, argv=0x33fd888) at ../engines/sci/engine/kgraphics32.cpp:259
#9  0x000000000053fe95 in Sci::callKernelFunc (s=0x33c82c0, kernelCallNr=18, argc=4) at ../engines/sci/engine/vm.cpp:377
#10 0x0000000000541fe4 in Sci::run_vm (s=0x33c82c0) at ../engines/sci/engine/vm.cpp:897
#11 0x0000000000532ea2 in Sci::invokeSelector (s=0x33c82c0, object=..., selectorId=106, k_argc=4, k_argp=0x33fd840, argc=2, argv=0x33fd848)
    at ../engines/sci/engine/selector.cpp:291
#12 0x00000000004fe6a3 in Sci::kListEachElementDo (s=0x33c82c0, argc=4, argv=0x33fd840) at ../engines/sci/engine/klists.cpp:620
#13 0x000000000053fe95 in Sci::callKernelFunc (s=0x33c82c0, kernelCallNr=90, argc=4) at ../engines/sci/engine/vm.cpp:377
#14 0x0000000000541fe4 in Sci::run_vm (s=0x33c82c0) at ../engines/sci/engine/vm.cpp:897
#15 0x00000000004e2fa8 in Sci::SciEngine::runGame (this=0x308b500) at ../engines/sci/sci.cpp:682
#16 0x00000000004e1c3d in Sci::SciEngine::run (this=0x308b500) at ../engines/sci/sci.cpp:453
#17 0x000000000040de2e in runGame (plugin=0xd695f0, system=..., edebuglevels="") at ../base/main.cpp:263
#18 0x000000000040f026 in scummvm_main (argc=1, argv=0x7fffffffe878) at ../base/main.cpp:529
#19 0x000000000040c151 in main (argc=1, argv=0x7fffffffe878) at ../backends/platform/sdl/posix/posix-main.cpp:45}}}

Attachments (3)

Capture d'écran de 2017-06-17 08-03-32.png (81.9 KB ) - added by bgK 7 years ago.
Crashed ScummVM
pq4-katherine-btfull.txt (8.7 KB ) - added by bgK 7 years ago.
backtrace with variables
pq4-cd-fr.031 (55.6 KB ) - added by bgK 7 years ago.
Save (French version)

Download all attachments as: .zip

Change History (6)

by bgK, 7 years ago

Crashed ScummVM

by bgK, 7 years ago

Attachment: pq4-katherine-btfull.txt added

backtrace with variables

by bgK, 7 years ago

Attachment: pq4-cd-fr.031 added

Save (French version)

comment:1 by wjp, 7 years ago

This is the same crash as #9761 probably.

comment:2 by wjp, 7 years ago

Summary: SCI: PQ4: Sci::READER_Compressed::getRow(): Assertion `y >= 0 && y < _sourceHeight' failedSCI: PQ4: kIsOnMe out of bounds read

comment:3 by csnover, 7 years ago

Owner: set to csnover
Resolution: fixed
Status: newclosed

Thanks for your report! A patch for this issue has been added in commit 832cd25ef1a5cd2dc9cb8062f043fb402dab6ed7 and will be available in daily builds 1.10.0git-3476 and later.

Note: See TracTickets for help on using tickets.