TITANIC: heap use-after-free loading a save game during TrueTalk video playback

[csnover]

Build: 6fac0ace2c844aa68c2482362021981ed1db931b + PR 975, macOS 10.11, SDL 2.0.5, ASan on

Reproduction:

1. Load attached save game
2. Click on Marsinta
3. Change PET to settings panel
4. Click load game icon in settings panel
5. Highlight save game to load (any game is fine)
6. Wait until “Welcome guest number…”
7. Click Load button to load save game

Expected: No memory bug
Actual: Memory bug

Backtrace:

#6	0x00000001002c42d6 in Titanic::TTtalker::endSpeech(int) at scummvm/engines/titanic/true_talk/tt_talker.cpp:49
#7	0x00000001001dad70 in Titanic::QSoundManagerSounds::flushChannel(int) at scummvm/engines/titanic/sound/sound_manager.cpp:60
#8	0x00000001001dc5dd in Titanic::QSoundManager::stopAllChannels() at scummvm/engines/titanic/sound/sound_manager.cpp:240
#9	0x00000001001d84f8 in Titanic::CSound::preLoad() at scummvm/engines/titanic/sound/sound.cpp:43
#10	0x000000010003d29b in Titanic::CProjectItem::preLoad() at scummvm/engines/titanic/core/project_item.cpp:324
#11	0x000000010003ccb8 in Titanic::CProjectItem::loadGame(int) at scummvm/engines/titanic/core/project_item.cpp:173
#12	0x00000001002df561 in Titanic::CMainGameWindow::draw() at scummvm/engines/titanic/main_game_window.cpp:158
#13	0x00000001002d58e2 in Titanic::CGameManager::update() at scummvm/engines/titanic/game_manager.cpp:203
#14	0x00000001002d1766 in Titanic::Events::pollEvents() at scummvm/engines/titanic/events.cpp:103
#15	0x00000001002d20a1 in Titanic::Events::pollEventsAndWait() at scummvm/engines/titanic/events.cpp:109
#16	0x00000001002e571d in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:144
#17	0x000000010047ecf7 in runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
#18	0x000000010047eb14 in ::scummvm_main(int, const char *const *) at scummvm/base/main.cpp:529
#19	0x000000010045052a in main at scummvm/backends/platform/sdl/macosx/macosx-main.cpp:45

ASan report:

Memory deallocated at (1)#0	0x000000010129e87b in wrap__ZdlPv ()
#1	0x000000010029593b in Titanic::CTrueTalkManager::preLoad() at scummvm/engines/titanic/true_talk/true_talk_manager.cpp:205
#2	0x00000001002d4140 in Titanic::CGameManager::preLoad() at scummvm/engines/titanic/game_manager.cpp:84
#3	0x000000010003d29a in Titanic::CProjectItem::preLoad() at scummvm/engines/titanic/core/project_item.cpp:324
#4	0x000000010003ccb7 in Titanic::CProjectItem::loadGame(int) at scummvm/engines/titanic/core/project_item.cpp:173
#5	0x00000001002df560 in Titanic::CMainGameWindow::draw() at scummvm/engines/titanic/main_game_window.cpp:158
#6	0x00000001002d58e1 in Titanic::CGameManager::update() at scummvm/engines/titanic/game_manager.cpp:203
#7	0x00000001002d1765 in Titanic::Events::pollEvents() at scummvm/engines/titanic/events.cpp:103
#8	0x00000001002d20a0 in Titanic::Events::pollEventsAndWait() at scummvm/engines/titanic/events.cpp:109
#9	0x00000001002e571c in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:144
#10	0x000000010047ecf6 in runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
#11	0x000000010047eb14 in ::scummvm_main(int, const char *const *) at scummvm/base/main.cpp:529
#12	0x0000000100450529 in main at scummvm/backends/platform/sdl/macosx/macosx-main.cpp:45
#13	0x00007fff9b7b05ac in tlv_get_addr ()
#14	0x0000000000000002 in 0x00000002 ()

Memory allocated at (1)#0	0x000000010129e2bb in wrap__Znwm ()
#1	0x0000000100296236 in Titanic::CTrueTalkManager::setDialogue(Titanic::CTrueTalkNPC*, Titanic::TTroomScript*, Titanic::CViewItem*) at scummvm/engines/titanic/true_talk/true_talk_manager.cpp:351
#2	0x0000000100033b59 in Titanic::CGameObject::setTalking(Titanic::CTrueTalkNPC*, bool, Titanic::CViewItem*) at scummvm/engines/titanic/core/game_object.cpp:1670
#3	0x000000010016505f in Titanic::CDeskbot::MovieEndMsg(Titanic::CMovieEndMsg*) at scummvm/engines/titanic/npcs/deskbot.cpp:151
#4	0x00000001001443a0 in Titanic::CMessage::perform(Titanic::CTreeItem*) at scummvm/engines/titanic/messages/messages.cpp:105
#5	0x0000000100143ef3 in Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*, int) at scummvm/engines/titanic/messages/messages.cpp:58
#6	0x00000001002d5fe3 in Titanic::CGameManager::updateMovies() at scummvm/engines/titanic/game_manager.cpp:241
#7	0x00000001002d54ea in Titanic::CGameManager::update() at scummvm/engines/titanic/game_manager.cpp:167
#8	0x00000001002dfef8 in Titanic::CMainGameWindow::onIdle() at scummvm/engines/titanic/main_game_window.cpp:248
#9	0x00000001002d1e04 in Titanic::Events::checkForNextFrameCounter() at scummvm/engines/titanic/events.cpp:139
#10	0x00000001002d0dff in Titanic::Events::pollEvents() at scummvm/engines/titanic/events.cpp:41
#11	0x00000001002d20a0 in Titanic::Events::pollEventsAndWait() at scummvm/engines/titanic/events.cpp:109
#12	0x00000001002e571c in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:144
#13	0x000000010047ecf6 in runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) [inlined] at scummvm/base/main.cpp:263
#14	0x000000010047eb14 in ::scummvm_main(int, const char *const *) at scummvm/base/main.cpp:529
#15	0x0000000100450529 in main at scummvm/backends/platform/sdl/macosx/macosx-main.cpp:45
#16	0x00007fff9b7b05ac in tlv_get_addr ()
#17	0x0000000000000002 in 0x00000002 ()

[csnover]

This can happen for TrueTalk speech without video, too, like if you try to load a game while the parrot is following you around and speaking.

[hamakei]

This doesn't happen in the Debian build....the game loads correctly. The only glitch is that the graphics don't update correctly, but if you click on Marsinta the dialogue and video start from "Welcome..." again.