Opened 3 years ago

Closed 3 years ago

#12856 closed defect (fixed)

SUPERNOVA: Buffer overflow when speaking to NPC in Palace of Culture

Reported by: criezy Owned by: criezy
Priority: normal Component: Engine: Supernova
Version: Keywords:
Cc: Game: Mission Supernova Teil 2: Der Doppelgänger

Description (last modified by criezy)

Here is the information provided by Address Sanitizer:

==33230==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010caab00c at pc 0x000106112584 bp 0x00016fa6a390 sp 0x00016fa6a388
READ of size 4 at 0x00010caab00c thread T0
    #0 0x106112580 in Supernova::GameManager::dialog(int, unsigned char*, int*, int) game-manager.cpp:642
    #1 0x1060b5410 in Supernova::CulturePalace::interact(Supernova::Action, Supernova::Object&, Supernova::Object&)+0x328 (scummvm:arm64+0x105d25410)
    #2 0x106141c38 in Supernova::GameManager2::handleInput()+0x5c0 (scummvm:arm64+0x105db1c38)
    #3 0x106143634 in Supernova::GameManager2::executeRoom()+0x448 (scummvm:arm64+0x105db3634)
    #4 0x10614df98 in Supernova::SupernovaEngine::run() supernova.cpp:118
    #5 0x10040e990 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:311
    #6 0x100409a54 in scummvm_main main.cpp:618
    #7 0x1004010d0 in main macosx-main.cpp:45
    #8 0x18b09d42c in start+0x0 (libdyld.dylib:arm64e+0x1842c)

0x00010caab00c is located 52 bytes to the left of global variable 'dials1' defined in 'engines/supernova/supernova2/rooms.cpp:844:14' (0x10caab040) of size 3
0x00010caab00c is located 0 bytes to the right of global variable 'dial1' defined in 'engines/supernova/supernova2/rooms.cpp:839:13' (0x10caab000) of size 12

This is on a Mac M1 with current master (18ee050adf).

To reproduce load the attached save game and talk to the NPC.

Attachments (1)

ms2_save.010 (9.8 KB ) - added by criezy 3 years ago.

Download all attachments as: .zip

Change History (4)

by criezy, 3 years ago

Attachment: ms2_save.010 added

comment:1 by criezy, 3 years ago

Description: modified (diff)
Summary: SUPERNOVA: Buffer overflow when speaking to NPC in Palae of CultureSUPERNOVA: Buffer overflow when speaking to NPC in Palace of Culture

comment:2 by criezy, 3 years ago

Owner: set to criezy
Resolution: assigned
Status: newpending

This one was a bug in the original:

static char *dial_kp1[4] =
  {
    "Ich bin's, Horst Hummel!",
    "Schönes Wetter heute!",
    "Können Sie mir sagen, von wem ich eine Eintrittskarte"
    "für den Musikwettbewerb kriegen kann?"
  };
static char dialz_kp1[3] = {1,1,2};

This is the dialog options. The second array indicates that there are three options, the first two use one row each, and the third one uses 2 rows. The first array should contain those four rows of text, but because of a missing coma only contains three rows of text.

The original still specify the array as having 4 elements, but in ScummVM we changed it to 3 elements and we get the buffer overflow when it tries to access the 4rth.

The kStringTellTicket string should be split into two strings to properly fix the issue. The buffer overflow itself can be fixed by changing the second array to specify only one row for the last option. In English the text actually fit on one row (but just barely). However in german it is truncated.

The same original bug (missing coma) also happened in another place, but there our code was already changed to specify a single row. However it is also missing another sentence... So we have a different bug (and still a buffer overflow). That other issue is with the dialBoss2 array in Elevator2::jobDescription().

Last edited 3 years ago by criezy (previous) (diff)

comment:3 by criezy, 3 years ago

Resolution: assignedfixed
Status: pendingclosed

Both occurrences of the issue are now fixed.

Note: See TracTickets for help on using tickets.