Bug 1164516 - sopwith: Crash on start in single -> novice mode
Summary: sopwith: Crash on start in single -> novice mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sopwith
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Adrian Reber
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-16 02:35 UTC by Conrad Meyer
Modified: 2014-12-06 10:46 UTC (History)
2 users (show)

Fixed In Version: sopwith-1.8.3-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-27 08:36:24 UTC
Type: Bug


Attachments (Terms of Use)

Description Conrad Meyer 2014-11-16 02:35:50 UTC
326     OBJECTS *initpln(OBJECTS * obp)
327     {
328             OBJECTS *ob;
329             int x, height, minx, maxx, n;
330
331             if (!obp)
332                     ob = allocobj();
333             else
334                     ob = obp;
335
336             switch (playmode) {
337             case PLAYMODE_SINGLE:
338             case PLAYMODE_NOVICE:
339                     n = inits[ob->ob_index];
340                     break;
341             case PLAYMODE_ASYNCH:
342                     n = initm[ob->ob_index];
343                     break;
344             case PLAYMODE_COMPUTER:
345                     n = initc[ob->ob_index];
346                     break;
347             default:
348                     return NULL;
349             }
350
351             ob->ob_type = PLANE;
352
353             ob->ob_x = currgame->gm_x[n];

^^^^^^^^^^^ Crashes here.

n is bogus:
(gdb) p n
$6 = 1850018317

Because inits[ob->ob_index] is bogus:
(gdb) p ob.ob_index
$7 = 2
(gdb) p inits[2]
$8 = 1850018317

Possibly uninitialized memory that was luckily zero in the past?

Comment 1 Conrad Meyer 2014-11-16 02:38:13 UTC
(This is in sopwith-1.7.1-16.fc21.)

(gdb) bt
#0  initpln (obp=obp@entry=0x0) at swinit.c:353
#1  0x0000000000407cb9 in initcomp (obp=obp@entry=0x0) at swinit.c:433
#2  0x000000000040899a in swinitlevel () at swinit.c:995
#3  0x0000000000401ac8 in main (argc=1, argv=0x7fffffffdd68) at swmain.c:143

Actually, inits is only two long, so we're accessing off the end of the array:

320     static int inits[2] = { 0, 7 };

So...

Comment 2 Adrian Reber 2014-11-17 11:24:17 UTC
Nice debugging. Thanks. I have a fixed package. Not sure the fix is correct. At least it does not crash anymore.

Comment 3 Fedora Update System 2014-11-17 13:31:45 UTC
sopwith-1.8.3-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/sopwith-1.8.3-2.fc21

Comment 4 Fedora Update System 2014-11-17 14:30:59 UTC
sopwith-1.8.3-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sopwith-1.8.3-2.fc20

Comment 5 Conrad Meyer 2014-11-17 15:50:26 UTC
Maybe:
-Source0: http://downloads.sourceforge.net/sdl-sopwith/sopwith-1.8.3.tar.gz
+Source0: http://downloads.sourceforge.net/sdl-sopwith/sopwith-%{version}.tar.gz

the .spec?

Re the patch:
+-static int inits[2] = { 0, 7 };
++static int inits[4] = { 0, 7, 1, 6 };
+ static int initc[4] = { 0, 7, 1, 6 };

Where did you get 1,6 from? Copying the row below? I'm just curious. Thanks!

Comment 6 Adrian Reber 2014-11-17 15:56:39 UTC
I copied the row from below, yes. Debugging it I found out that also [3] was accessed and so I had to add two fields. I have no idea what '1, 6' means but I have contacted upstream hoping they can give some input what the right fix should be.

Comment 7 Conrad Meyer 2014-11-17 16:14:28 UTC
It is much appreciated. Thanks for the quick fix.

Comment 8 Jesse 2014-11-17 21:42:56 UTC
Hi all, upstream maintainer for Sopwith here. I believe the "inits" array deals with the starting position of the player (or players). Though to be honest, the code isn't documented all that well. (The code is 30 years old and has gone through several hands.) I think Adrian Reber's fix is correct. I am playing with this fix and will push out a patched version of Sopwith shortly.

Comment 9 Fedora Update System 2014-11-18 12:15:07 UTC
Package sopwith-1.8.3-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sopwith-1.8.3-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15277/sopwith-1.8.3-2.fc21
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-11-27 08:36:24 UTC
sopwith-1.8.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-12-06 10:46:51 UTC
sopwith-1.8.3-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.