Opened 3 years ago
Closed 3 years ago
#12856 closed defect (fixed)
SUPERNOVA: Buffer overflow when speaking to NPC in Palace of Culture
| Reported by: | criezy | Owned by: | criezy |
|---|---|---|---|
| Priority: | normal | Component: | Engine: Supernova |
| Version: | Keywords: | ||
| Cc: | Game: | Mission Supernova Teil 2: Der Doppelgänger |
Description (last modified by )
Here is the information provided by Address Sanitizer:
==33230==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010caab00c at pc 0x000106112584 bp 0x00016fa6a390 sp 0x00016fa6a388
READ of size 4 at 0x00010caab00c thread T0
#0 0x106112580 in Supernova::GameManager::dialog(int, unsigned char*, int*, int) game-manager.cpp:642
#1 0x1060b5410 in Supernova::CulturePalace::interact(Supernova::Action, Supernova::Object&, Supernova::Object&)+0x328 (scummvm:arm64+0x105d25410)
#2 0x106141c38 in Supernova::GameManager2::handleInput()+0x5c0 (scummvm:arm64+0x105db1c38)
#3 0x106143634 in Supernova::GameManager2::executeRoom()+0x448 (scummvm:arm64+0x105db3634)
#4 0x10614df98 in Supernova::SupernovaEngine::run() supernova.cpp:118
#5 0x10040e990 in runGame(Plugin const*, Plugin const*, OSystem&, Common::String const&) main.cpp:311
#6 0x100409a54 in scummvm_main main.cpp:618
#7 0x1004010d0 in main macosx-main.cpp:45
#8 0x18b09d42c in start+0x0 (libdyld.dylib:arm64e+0x1842c)
0x00010caab00c is located 52 bytes to the left of global variable 'dials1' defined in 'engines/supernova/supernova2/rooms.cpp:844:14' (0x10caab040) of size 3
0x00010caab00c is located 0 bytes to the right of global variable 'dial1' defined in 'engines/supernova/supernova2/rooms.cpp:839:13' (0x10caab000) of size 12
This is on a Mac M1 with current master (18ee050adf).
To reproduce load the attached save game and talk to the NPC.
Attachments (1)
Change History (4)
by , 3 years ago
| Attachment: | ms2_save.010 added |
|---|
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | SUPERNOVA: Buffer overflow when speaking to NPC in Palae of Culture → SUPERNOVA: Buffer overflow when speaking to NPC in Palace of Culture |
comment:2 by , 3 years ago
| Owner: | set to |
|---|---|
| Resolution: | → assigned |
| Status: | new → pending |
comment:3 by , 3 years ago
| Resolution: | assigned → fixed |
|---|---|
| Status: | pending → closed |
Both occurrences of the issue are now fixed.
Note:
See TracTickets
for help on using tickets.
This one was a bug in the original:
static char *dial_kp1[4] = { "Ich bin's, Horst Hummel!", "Schönes Wetter heute!", "Können Sie mir sagen, von wem ich eine Eintrittskarte" "für den Musikwettbewerb kriegen kann?" }; static char dialz_kp1[3] = {1,1,2};This is the dialog options. The second array indicates that there are three options, the first two use one row each, and the third one uses 2 rows. The first array should contain those four rows of text, but because of a missing coma only contains three rows of text.
The original still specify the array as having 4 elements, but in ScummVM we changed it to 3 elements and we get the buffer overflow when it tries to access the 4rth.
The
kStringTellTicketstring should be split into two strings to properly fix the issue. The buffer overflow itself can be fixed by changing the second array to specify only one row for the last option. In English the text actually fit on one row (but just barely). However in german it is truncated.The same original bug (missing coma) also happened in another place, but there our code was already changed to specify a single row. However it is also missing another sentence... So we have a different bug (and still a buffer overflow). That other issue is with the
dialBoss2array inElevator2::jobDescription().