SCI engine writes over end of allocated buffer.

[bebbo]

Have a look at my hack, I have to allocate 5000 additional bytes (maybe 4404 additonial bytes are sufficient too), otherwise it writes beyond the allocated block.

void Surface::create(uint16 width, uint16 height, const PixelFormat &f){
	free();

	w = width;
	h = height;
	format = f;
	pitch = w * format.bytesPerPixel;

	if (width && height) {
//		pixels = calloc(width * height, format.bytesPerPixel);
		uint32 sz = ((int)width) * height * format.bytesPerPixel + 5000;
		pixels = malloc(sz);
		assert(pixels);
		memset(pixels, 0, sz);
	}
}

[mheyer32]

very odd!

What tool did you use to detect this?
How is scummvm configured?
Which game are you running?

[bebbo]

the game: phantasmagoria
the tool: custom malloc/free:

__attribute__((noinline)) void foo(void * p, int sz, int no, int na, int nz) {
	printf("trashed mem at %p sz=%d alloc #%d damaged: before %d, behind %d\n", p, sz, no, na, nz);
}
#if 0
#define N 256
#define X (size + size)
#else
#define N 32
#define X 0
#endif

#define ADD (4*2 + N)

static int NO;


void * malloc(size_t size) {
	size = (size + 3) & ~3; // round up

	// protect the memory
	char * const p = (char *)AllocVec(size + X + ADD + N, MEMF_PUBLIC);

	char * q = p;
	// size
	*(int*)q = size;
	q += 4;
	// no
	*(int*)q = ++NO;
	q += 4;
	// 0 1 2 3 ... 255 before
	for (int i = 0; i < N; ++i)
		*q++ = i;
	q += size;
	// 255 254 253 ... 0 behind
	for (int i = X + N - 1; i >= 0; --i)
		*q++ = i;

	return p + ADD;
}

void free(void * _p) {
	if (!_p)
		return;

	unsigned char * q = _p;
	q -= ADD;
	char * const p = q;
	int size = *(int*)q;
	q += 4;
	int no = *(int*)q;
	q += 4;
	int bada = 0;
	for (int i = 0; i < N; ++i)
		if (*q++ != (unsigned char)i)
			++bada;
	q += size;

	int badz = 0;
	for (int i = X + N - 1; i >= 0; --i)
		if (*q++ != (unsigned char)i)
			++badz;

	if (bada + badz)
		foo(p, size, no, bada, badz);
	else
		FreeVec(p);
}