Overflow bug causing load game crash in Wiidoom

[Joe Durnavich]

I'm posting this in case it saves someone else some trouble. I think this may be an old bug that has been there since the beginning.

I downloaded and compiled the source to WiiDoom, which is a Nintendo Wii port of PrBoom. When I tried to load a previously saved game, it would cause a DSI code dump.

The g_game.c file uses a savebuffer pointer to point to the allocated memory space of the loaded save game file. Something was stomping on the first byte of the pointer -- not what it pointed to, but the address in the pointer variable itself. So, in my case savebuffer started out containing an address value of 0x809E7C78, but by the time Z_Free was called on it to free the memory, the value was 0x009E7C78. Something zeroed out the first byte, and the pointer no longer pointed to valid memory.

The problem seems to be caused by a memset of mousebuttons. In the declarations in g_game.c:

static bool mousearray[4];
static bool *mousebuttons = &mousearray[1]; // allow [-1]

Notice that mousebuttons points to one position in of offset into mousearray. But in G_DoLoadLevel(), it zeros it out with a memset:

memset (mousebuttons, 0, sizeof(mousebuttons));

This memset clears 4 bytes of memory, and because it is starting one byte in to the 4-byte mousearray, it overwrites the first byte of whatever field follows mousearray. Looking at the linker map, in my case, that was the savebuffer pointer.

The memset should clear out the mousearray itself and not the mousebuttons pointer to it (and joyarray, which is a similar arrangement, but won't overflow because the array length is 13):

memset (mousearray, 0, sizeof(mousearray));
memset (joyarray, 0, sizeof(joyarray));