Severed bunny head
Register | User Profile | Member List | F.A.Q | Privacy Policy | New Blog | Search Forums | Forums Home
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Classic Doom > Source Ports > Overflow bug causing load game crash in Wiidoom
 
Author
All times are GMT. The time now is 16:28. Post New Thread    Post A Reply
Joe Durnavich
Registered just to make one post


Posts: 1
Registered: 09-13


I'm posting this in case it saves someone else some trouble. I think this may be an old bug that has been there since the beginning.

I downloaded and compiled the source to WiiDoom, which is a Nintendo Wii port of PrBoom. When I tried to load a previously saved game, it would cause a DSI code dump.

The g_game.c file uses a savebuffer pointer to point to the allocated memory space of the loaded save game file. Something was stomping on the first byte of the pointer -- not what it pointed to, but the address in the pointer variable itself. So, in my case savebuffer started out containing an address value of 0x809E7C78, but by the time Z_Free was called on it to free the memory, the value was 0x009E7C78. Something zeroed out the first byte, and the pointer no longer pointed to valid memory.

The problem seems to be caused by a memset of mousebuttons. In the declarations in g_game.c:

static bool mousearray[4];
static bool *mousebuttons = &mousearray[1]; // allow [-1]

Notice that mousebuttons points to one position in of offset into mousearray. But in G_DoLoadLevel(), it zeros it out with a memset:

memset (mousebuttons, 0, sizeof(mousebuttons));

This memset clears 4 bytes of memory, and because it is starting one byte in to the 4-byte mousearray, it overwrites the first byte of whatever field follows mousearray. Looking at the linker map, in my case, that was the savebuffer pointer.

The memset should clear out the mousearray itself and not the mousebuttons pointer to it (and joyarray, which is a similar arrangement, but won't overflow because the array length is 13):

memset (mousearray, 0, sizeof(mousearray));
memset (joyarray, 0, sizeof(joyarray));

Old Post 09-06-13 23:45 #
Joe Durnavich is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
All times are GMT. The time now is 16:28. Post New Thread    Post A Reply
 
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Classic Doom > Source Ports > Overflow bug causing load game crash in Wiidoom

Show Printable Version | Email this Page | Subscribe to this Thread

 

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are OFF
[IMG] code is ON
 

< Contact Us - Doomworld >

Powered by: vBulletin Version 2.2.5
Copyright ©2000, 2001, Jelsoft Enterprises Limited.