Opened 7 years ago
Closed 7 years ago
#10236 closed defect (fixed)
TITANIC: use-after-free in QSoundManager on engine shutdown
| Reported by: | csnover | Owned by: | dreammaster |
|---|---|---|---|
| Priority: | normal | Component: | Engine: Titanic |
| Version: | Keywords: | ||
| Cc: | Game: | Starship Titanic |
Description
RTL from top of the well causes double-free.
#5 0x00000001003a7245 in Titanic::CWaveFile::~CWaveFile() at scummvm/engines/titanic/sound/wave_file.cpp:76 #6 0x00000001003a7425 in Titanic::CWaveFile::~CWaveFile() at scummvm/engines/titanic/sound/wave_file.cpp:74 #7 0x00000001003834bd in Titanic::QMixer::ChannelEntry::~ChannelEntry() at scummvm/engines/titanic/sound/qmixer.cpp:246 #8 0x0000000100383595 in Titanic::QMixer::ChannelEntry::~ChannelEntry() at scummvm/engines/titanic/sound/qmixer.cpp:244 #9 0x0000000100383afb in Common::Array<Titanic::QMixer::ChannelEntry>::freeStorage(Titanic::QMixer::ChannelEntry*, unsigned int) at scummvm/./common/array.h:318 #10 0x000000010037f036 in Common::Array<Titanic::QMixer::ChannelEntry>::clear() at scummvm/./common/array.h:217 #11 0x000000010037f67c in Titanic::QMixer::qsWaveMixCloseSession() at scummvm/engines/titanic/sound/qmixer.cpp:60 #12 0x0000000100396be9 in Titanic::QSoundManager::~QSoundManager() at scummvm/engines/titanic/sound/sound_manager.cpp:119 #13 0x0000000100396c95 in Titanic::QSoundManager::~QSoundManager() at scummvm/engines/titanic/sound/sound_manager.cpp:117 #14 0x000000010058f123 in Titanic::CSound::~CSound() at scummvm/engines/titanic/sound/sound.h:60 #15 0x00000001005885c5 in Titanic::CSound::~CSound() at scummvm/engines/titanic/sound/sound.h:60 #16 0x000000010058824b in Titanic::CGameManager::~CGameManager() at scummvm/engines/titanic/game_manager.cpp:56 #17 0x0000000100588625 in Titanic::CGameManager::~CGameManager() at scummvm/engines/titanic/game_manager.cpp:50 #18 0x000000010059cf77 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:53 #19 0x000000010059d065 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:51 #20 0x000000010059d089 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:51 #21 0x00000001005a7fab in Titanic::TitanicEngine::deinitialize() at scummvm/engines/titanic/titanic.cpp:134 #22 0x00000001005a82ab in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:160 #23 0x00000001008c9251 in runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) at scummvm/base/main.cpp:263
Memory already deallocated at:
#1 0x00000001003834c5 in Titanic::QMixer::ChannelEntry::~ChannelEntry() at scummvm/engines/titanic/sound/qmixer.cpp:246 #2 0x0000000100383594 in Titanic::QMixer::ChannelEntry::~ChannelEntry() at scummvm/engines/titanic/sound/qmixer.cpp:244 #3 0x0000000100383afa in Common::Array<Titanic::QMixer::ChannelEntry>::freeStorage(Titanic::QMixer::ChannelEntry*, unsigned int) at scummvm/./common/array.h:318 #4 0x000000010037f035 in Common::Array<Titanic::QMixer::ChannelEntry>::clear() at scummvm/./common/array.h:217 #5 0x000000010037f67b in Titanic::QMixer::qsWaveMixCloseSession() at scummvm/engines/titanic/sound/qmixer.cpp:60 #6 0x0000000100396be8 in Titanic::QSoundManager::~QSoundManager() at scummvm/engines/titanic/sound/sound_manager.cpp:119 #7 0x0000000100396c94 in Titanic::QSoundManager::~QSoundManager() at scummvm/engines/titanic/sound/sound_manager.cpp:117 #8 0x000000010058f122 in Titanic::CSound::~CSound() at scummvm/engines/titanic/sound/sound.h:60 #9 0x00000001005885c4 in Titanic::CSound::~CSound() at scummvm/engines/titanic/sound/sound.h:60 #10 0x000000010058824a in Titanic::CGameManager::~CGameManager() at scummvm/engines/titanic/game_manager.cpp:56 #11 0x0000000100588624 in Titanic::CGameManager::~CGameManager() at scummvm/engines/titanic/game_manager.cpp:50 #12 0x000000010059cf76 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:53 #13 0x000000010059d064 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:51 #14 0x000000010059d088 in Titanic::CMainGameWindow::~CMainGameWindow() at scummvm/engines/titanic/main_game_window.cpp:51 #15 0x00000001005a7faa in Titanic::TitanicEngine::deinitialize() at scummvm/engines/titanic/titanic.cpp:134 #16 0x00000001005a82aa in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:160 #17 0x00000001008c9250 in runGame(PluginSubclass<MetaEngine> const*, OSystem&, Common::String const&) at scummvm/base/main.cpp:263
Memory allocated by:
#1 0x0000000100396e37 in Titanic::QSoundManager::loadSound(Titanic::CString const&) at scummvm/engines/titanic/sound/sound_manager.cpp:123 #2 0x0000000100390759 in Titanic::CSound::loadSound(Titanic::CString const&) at scummvm/engines/titanic/sound/sound.cpp:138 #3 0x0000000100390bca in Titanic::CSound::playSound(Titanic::CString const&, Titanic::CProximity&) at scummvm/engines/titanic/sound/sound.cpp:158 #4 0x000000010005964a in Titanic::CGameObject::playSound(Titanic::CString const&, Titanic::CProximity&) at scummvm/engines/titanic/core/game_object.cpp:804 #5 0x000000010036049c in Titanic::CAutoSoundPlayer::TurnOn(Titanic::CTurnOn*) at scummvm/engines/titanic/sound/auto_sound_player.cpp:81 #6 0x0000000100266d93 in Titanic::CMessage::perform(Titanic::CTreeItem*) at scummvm/engines/titanic/messages/messages.cpp:107 #7 0x00000001002660ce in Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*, int) at scummvm/engines/titanic/messages/messages.cpp:60 #8 0x0000000100386ffb in Titanic::CRoomAutoSoundPlayer::EnterRoomMsg(Titanic::CEnterRoomMsg*) at scummvm/engines/titanic/sound/room_auto_sound_player.cpp:46 #9 0x0000000100266d93 in Titanic::CMessage::perform(Titanic::CTreeItem*) at scummvm/engines/titanic/messages/messages.cpp:107 #10 0x00000001002660ce in Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*, int) at scummvm/engines/titanic/messages/messages.cpp:60 #11 0x0000000100117af2 in Titanic::CViewItem::enterView(Titanic::CViewItem*) at scummvm/engines/titanic/core/view_item.cpp:163 #12 0x0000000100593e43 in Titanic::CGameState::changeView(Titanic::CViewItem*, Titanic::CMovieClip*) at scummvm/engines/titanic/game_state.cpp:153 #13 0x0000000100084328 in Titanic::CProjectItem::changeView(Titanic::CString const&, Titanic::CString const&) at scummvm/engines/titanic/core/project_item.cpp:655 #14 0x0000000100060967 in Titanic::CGameObject::changeView(Titanic::CString const&) at scummvm/engines/titanic/core/game_object.cpp:1219 #15 0x000000010027e436 in Titanic::CRestrictedMove::MouseButtonDownMsg(Titanic::CMouseButtonDownMsg*) at scummvm/engines/titanic/moves/restricted_move.cpp:54 #16 0x0000000100266d93 in Titanic::CMessage::perform(Titanic::CTreeItem*) at scummvm/engines/titanic/messages/messages.cpp:107 #17 0x00000001002660ce in Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*, int) at scummvm/engines/titanic/messages/messages.cpp:60 #18 0x0000000100118d9f in Titanic::CViewItem::handleMouseMsg(Titanic::CMouseMsg*, bool) at scummvm/engines/titanic/core/view_item.cpp:295 #19 0x00000001001139b1 in Titanic::CViewItem::MouseButtonDownMsg(Titanic::CMouseButtonDownMsg*) at scummvm/engines/titanic/core/view_item.cpp:190 #20 0x0000000100266d93 in Titanic::CMessage::perform(Titanic::CTreeItem*) at scummvm/engines/titanic/messages/messages.cpp:107 #21 0x00000001002660ce in Titanic::CMessage::execute(Titanic::CTreeItem*, Titanic::ClassDef const*, int) at scummvm/engines/titanic/messages/messages.cpp:60 #22 0x00000001005993a1 in Titanic::CInputHandler::dispatchMessage(Titanic::CMessage*) at scummvm/engines/titanic/input_handler.cpp:156 #23 0x0000000100597992 in Titanic::CInputHandler::processMessage(Titanic::CMessage*) at scummvm/engines/titanic/input_handler.cpp:84 #24 0x00000001005974f6 in Titanic::CInputHandler::handleMessage(Titanic::CMessage&, bool) at scummvm/engines/titanic/input_handler.cpp:72 #25 0x000000010059a4a1 in Titanic::CInputTranslator::leftButtonDown(int, Common::Point const&) at scummvm/engines/titanic/input_translator.cpp:55 #26 0x00000001005a0e6a in Titanic::CMainGameWindow::leftButtonDown(Common::Point const&) at scummvm/engines/titanic/main_game_window.cpp:294 #27 0x0000000100581b72 in Titanic::Events::pollEvents() at scummvm/engines/titanic/events.cpp:61 #28 0x000000010058357f in Titanic::Events::pollEventsAndWait() at scummvm/engines/titanic/events.cpp:112 #29 0x00000001005a829c in Titanic::TitanicEngine::run() at scummvm/engines/titanic/titanic.cpp:157
Build 1.10.0git-5034-ge816841e8e
Change History (1)
comment:1 by , 7 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
This should be all resolved by prior commit fixing freeing wave files