CINE: FW: Game crashes during intro with MT-32 music

[eriktorbjorn]

Playing the DOS non-CD version of Future Wars with MT-32 emulation, the game crashes during the intro when the bucket falls over. This is the final readable part of the backtrace:

#7  0x00005555582e2d3e in SdlMutexManager::unlockMutex(OpaqueMutex*)
    (this=0x0, mutex=0xffffffff5a6eb960) at backends/mutex/sdl/sdl-mutex.cpp:40
#8  0x00005555560edbef in Cine::MidiSoundDriverH32::playSample(unsigned char const*, int, int, int)
    (this=0x55555a6eb930, data=0x55555b141cd0 "\200seau__75  \b\b\017", size=0, channel=0, volume=80) at engines/cine/sound.cpp:771
#9  0x00005555560ef878 in Cine::PCSound::playSound(int, int, unsigned char const*, int, int, int, int, int)
    (this=0x55555a6c7830, channel=0, frequency=0, data=0x55555b141cd0 "\200seau__75  \b\b\017", size=0, volumeStep=0, stepCount=0, volume=50, repeat=0)
    at engines/cine/sound.cpp:1334
#10 0x00005555560cb6b6 in Cine::FWScript::o1_playSample() (this=0x55555b148cc0)
    at engines/cine/script_fw.cpp:1905

The culprit seems to be this bit in o1_playSample():

		if (size == 0xFFFF) {
			g_sound->playSound(channel, 0, data, 0, 0, 0, volume, 0);
		} else {

I don't know what the purpose of this is, playing a 0-byte sound effect at 0 Hz, but when it gets to MidiSoundDriverH32::playSample() it subtracts 1 from size before passing it on to writeInstrument(). There it uses MIN(246, size) for copySize, getting -1, which is then passed as the size parameter to memcpy(). That parameter is a size_t, which is apparently unsigned. When -1 is cast to unsigned it becomes something very large instead. Much larger than the 254-byte buffer it's copying to.

[karisal]

Confirmed.

[karisal]

Fix awaiting merging in ​this pull request.