MantisBT - Zandronum
View Issue Details
0003726Zandronum[All Projects] Bugpublic2019-10-20 07:482020-05-05 22:47
Torr Samaho 
needs testingopen 
WindowsWindows Server 2012 R2XP/Vista/7
0003726: Zandronum 3.0.1 - crash - Integer Overflow
Zandronum 3.0.1 - crash - Integer Overflow, due to the calculation of decal coordinates in assembler assest.
I have my own correction of this error, if you notice my existence at all and react to this ticket in the next six years.
No tags attached.
zip (21,893) 2019-10-20 07:48
png fix1.png (12,005) 2020-01-14 07:08

png overflow.png (46,434) 2020-05-05 06:46

? DEMO2.wad (927,778) 2020-05-05 22:37
Issue History
2019-10-20 07:48eagleNew Issue
2019-10-20 07:48eagleFile Added:
2019-12-22 14:34Torr SamahoNote Added: 0021080
2019-12-26 17:09eagleNote Added: 0021081
2020-01-12 20:53Torr SamahoNote Added: 0021082
2020-01-14 07:08eagleFile Added: fix1.png
2020-01-14 07:09eagleNote Added: 0021083
2020-04-30 20:03Torr SamahoNote Added: 0021295
2020-04-30 20:03Torr SamahoAssigned To => Torr Samaho
2020-04-30 20:03Torr SamahoStatusnew => needs testing
2020-05-05 06:45eagleNote Added: 0021309
2020-05-05 06:46eagleFile Added: overflow.png
2020-05-05 21:22Edward-sanNote Added: 0021310
2020-05-05 21:30Edward-sanNote Edited: 0021310bug_revision_view_page.php?bugnote_id=21310#r13075
2020-05-05 21:31Edward-sanNote Edited: 0021310bug_revision_view_page.php?bugnote_id=21310#r13076
2020-05-05 21:58eagleNote Added: 0021312
2020-05-05 21:59eagleNote Added: 0021313
2020-05-05 22:29Edward-sanNote Added: 0021315
2020-05-05 22:34Edward-sanNote Edited: 0021315bug_revision_view_page.php?bugnote_id=21315#r13078
2020-05-05 22:36eagleNote Added: 0021316
2020-05-05 22:37eagleFile Added: DEMO2.wad
2020-05-05 22:45Edward-sanNote Added: 0021317
2020-05-05 22:46Edward-sanNote Edited: 0021317bug_revision_view_page.php?bugnote_id=21317#r13080
2020-05-05 22:47Edward-sanNote Edited: 0021317bug_revision_view_page.php?bugnote_id=21317#r13081
2020-05-05 22:47Edward-sanNote Edited: 0021317bug_revision_view_page.php?bugnote_id=21317#r13082

Torr Samaho   
2019-12-22 14:34   
Quote from eagle

I have my own correction of this error, if you notice my existence at all and react to this ticket in the next six years.

I'm all ears.
2019-12-26 17:09   
Remove the assembler insert in the function on which the crash occurred, the problem is because of it.
Torr Samaho   
2020-01-12 20:53   
Unfortunately, I can't get anything out of the crash log. Which function are you referring to?
2020-01-14 07:09   
I uploaded a screenshot with the fix
Torr Samaho   
2020-04-30 20:03   
Thanks, I added your patch!
2020-05-05 06:45   
this correction was not enough, so we went further... I attached a screenshot.
2020-05-05 21:22   
(edited on: 2020-05-05 21:31)
Can you attach a crash log obtained with the new build?

Also, the new patch seems to change the scale code in the c code instead of the intended assembler code, contradicting the statement in the description that the assembler code was the culprit here. How did you discover this? Also, just to ask: is zandronum compiled by yourself, by any chance?

2020-05-05 21:58   
I checked it on my own compilation, so my logs won't help here. and the problem there is huge values in variables obtained before division. Only the Assembly insert was replaced, and it is still called in many places in the render.
2020-05-05 21:59   
This overflow error appears on huge maps when drawing decals.
2020-05-05 22:29   
(edited on: 2020-05-05 22:34)
This overflow error appears on huge maps when drawing decals.

Indeed, from the code it looks like it is sufficient to have a decal on a very large wall. Can you attach an example wad reproducing the crash with this, which is also compatible with gzdoom?

2020-05-05 22:36   
Yes, of course.
2020-05-05 22:45   
(edited on: 2020-05-05 22:47)
In any case, I'm personally not inclined to change the Scale function to accommodate this specific case. I have a suggestion: does it work if you replace the current multiplication and division in the decal code with the following:

(fixed_t)((r * (SQWORD)ldx) / wallsize)

and similar for the y case? Moreover, the Scale call in DBaseDecal::SpreadLeft should be replaced in the same way.