326 OBJECTS *initpln(OBJECTS * obp) 327 { 328 OBJECTS *ob; 329 int x, height, minx, maxx, n; 330 331 if (!obp) 332 ob = allocobj(); 333 else 334 ob = obp; 335 336 switch (playmode) { 337 case PLAYMODE_SINGLE: 338 case PLAYMODE_NOVICE: 339 n = inits[ob->ob_index]; 340 break; 341 case PLAYMODE_ASYNCH: 342 n = initm[ob->ob_index]; 343 break; 344 case PLAYMODE_COMPUTER: 345 n = initc[ob->ob_index]; 346 break; 347 default: 348 return NULL; 349 } 350 351 ob->ob_type = PLANE; 352 353 ob->ob_x = currgame->gm_x[n]; ^^^^^^^^^^^ Crashes here. n is bogus: (gdb) p n $6 = 1850018317 Because inits[ob->ob_index] is bogus: (gdb) p ob.ob_index $7 = 2 (gdb) p inits[2] $8 = 1850018317 Possibly uninitialized memory that was luckily zero in the past?
(This is in sopwith-1.7.1-16.fc21.) (gdb) bt #0 initpln (obp=obp@entry=0x0) at swinit.c:353 #1 0x0000000000407cb9 in initcomp (obp=obp@entry=0x0) at swinit.c:433 #2 0x000000000040899a in swinitlevel () at swinit.c:995 #3 0x0000000000401ac8 in main (argc=1, argv=0x7fffffffdd68) at swmain.c:143 Actually, inits is only two long, so we're accessing off the end of the array: 320 static int inits[2] = { 0, 7 }; So...
Nice debugging. Thanks. I have a fixed package. Not sure the fix is correct. At least it does not crash anymore.
sopwith-1.8.3-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/sopwith-1.8.3-2.fc21
sopwith-1.8.3-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/sopwith-1.8.3-2.fc20
Maybe: -Source0: http://downloads.sourceforge.net/sdl-sopwith/sopwith-1.8.3.tar.gz +Source0: http://downloads.sourceforge.net/sdl-sopwith/sopwith-%{version}.tar.gz the .spec? Re the patch: +-static int inits[2] = { 0, 7 }; ++static int inits[4] = { 0, 7, 1, 6 }; + static int initc[4] = { 0, 7, 1, 6 }; Where did you get 1,6 from? Copying the row below? I'm just curious. Thanks!
I copied the row from below, yes. Debugging it I found out that also [3] was accessed and so I had to add two fields. I have no idea what '1, 6' means but I have contacted upstream hoping they can give some input what the right fix should be.
It is much appreciated. Thanks for the quick fix.
Hi all, upstream maintainer for Sopwith here. I believe the "inits" array deals with the starting position of the player (or players). Though to be honest, the code isn't documented all that well. (The code is 30 years old and has gone through several hands.) I think Adrian Reber's fix is correct. I am playing with this fix and will push out a patched version of Sopwith shortly.
Package sopwith-1.8.3-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sopwith-1.8.3-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15277/sopwith-1.8.3-2.fc21 then log in and leave karma (feedback).
sopwith-1.8.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
sopwith-1.8.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.