Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000593Core InformKinds and type checkingpublic2011-03-01 19:002014-05-07 07:34
ReporterEmacsUser 
Assigned Tograham 
PrioritynormalSeverityseriousReproducibilityalways
StatusclosedResolutionfixed 
Platformx86OSMac OS XOS Version10.6
Product Version6G60 
Target VersionFixed in Version6L02 
Summary0000593: RawBufferSize is not reset in INDEXED_TEXT_TY_Cast; out-of-bounds memory access is possible converting text to indexed text
DescriptionThe attached source gives and out-of-bounds memory access when compiled for Glulx because RawBufferSize grows between INDEXED_TEXT_TY_Cast calls whereas the array at RawBufferAddress does not. Adding the line

- - - -
RawBufferSize = IT_MemoryBufferSize;
- - - -

before

- - - -
buff = RawBufferAddress + IT_cast_nesting*buffx;
- - - -

or before

- - - -
return indt;
- - - -

fixes the bug.
Minimal Source Text To Reproduce
There is a room.
To decide what text is the long string:
	decide on "xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx 
abcdefg".
To decide what text is the longer string:
	decide on "[the long string][the long string][the long string][the long string]";
When play begins:
	let the conversion be indexed text;
	now the conversion is "[the longer string]";
	now the conversion is "[the longer string]".
Additional InformationWe might want this in a different category.

Also, under any of the three supported Z-machine versions, the attached source provokes a flurry of warnings having this form:

- - - -
Warning: Only characters in the range 129-154 (and 252-255) are valid terminating characters
- - - -

However, I didn't report this problem as a separate bug because there seems to be no easy way to prevent the overflow when tx is a routine. Perhaps it should be split off though.
TagsNo tags attached.
Effect(serious/mild) Game compiles but misbehaves
Attached Files

- Relationships
related to 0000587closedgraham Certain tables cause Basic Help Menu entries to be truncated 

-  Notes
(0001498)
graham (administrator)
2011-12-17 17:01

Fixed. (The supplied fix was indeed right.)

- Issue History
Date Modified Username Field Change
2011-03-01 19:00 EmacsUser New Issue
2011-03-01 19:00 EmacsUser Relationship added related to 0000587
2011-03-01 19:08 EmacsUser Additional Information Updated View Revisions
2011-03-02 00:42 jmcgrew Status new => acknowledged
2011-05-30 22:07 jmcgrew Status acknowledged => confirmed
2011-12-17 17:01 graham Note Added: 0001498
2011-12-17 17:01 graham Status confirmed => resolved
2011-12-17 17:01 graham Resolution open => fixed
2011-12-17 17:01 graham Assigned To => graham
2014-05-07 07:34 jmcgrew Fixed in Version => 6L02
2014-05-07 07:34 jmcgrew Status resolved => closed


Copyright © 2000 - 2010 MantisBT Group
Powered by Mantis Bugtracker