Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
08952 Crash/Freeze Minor Always Nov 5, 2024, 14:53 4 days ago
Tester Robbbert View Status Public Platform MAME (Self-compiled)
Assigned To Resolution Open OS Windows 10/11 (64-bit)
Status [?] Confirmed Driver
Version 0.271 Fixed in Version Build 64-bit
Fixed in Git Commit Github Pull Request #
Summary 08952: spec128: Several tapes cause MAME to crash
Description While testing my loose software, it was noted that several tapes cause MAME to crash as soon as the emulation is started.
Steps To Reproduce Enter this line, using the supplied file, and substituting your path.

mame spec128 -cass "e:\data\sinclair\spectrum\Automaticky Bubenik Verze 2 (1986)(Daniel Rodny).tap"

It will immediately crash, before the screen can appear.
Additional Information I do not know if these tapes are meant for this system, however even if that's the case, a crash should not occur.

A number of examples have been included.

Although I didn't test it, I'd imagine that most of the spectrum-related systems will crash in the same way.

C:\MAME>mame spec128 -cass "e:\data\sinclair\spectrum\Automaticky Bubenik Verze 2 (1986)(Daniel Rodny).tap"
Warning: layout view 'Keyboard Layout' contains deprecated cpanel element
Warning: layout view 'Keyboard Only' contains deprecated cpanel element
Warning: layout view 'Keyboard Layout' contains deprecated cpanel element
Warning: layout view 'Keyboard Only' contains deprecated cpanel element

-----------------------------------------------------
Exception at EIP=00007ff7cb28a690 (tzx_cas_handle_block(short**, unsigned char const*, int, int, int, int, int, int, int, int, int) [clone .constprop.0]+0x0150): ACCESS VIOLATION
While attempting to read memory at 0000029b8b19b000
-----------------------------------------------------
RAX=0000000000000000 RBX=0000000000005a9e RCX=0000000000005a9e RDX=0000000000000000
RSI=0000000000003d00 RDI=0000029b8b197300 RBP=00000000000003e8 RSP=000000f43e6f8c00
 R8=0000000000000016 R9=00000000002b5754 R10=0000000000000001 R11=000000000000000b
R12=0000000000005b02 R13=0000000000000008 R14=0000000000005b01 R15=0000000000004ca3
-----------------------------------------------------
Stack crawl:
  000000f43e6f8c30: 00007ff7cb28a690 (tzx_cas_handle_block(short**, unsigned char const*, int, int, int, int, int, int, int, int, int) [clone .constprop.0]+0x0150)
  000000f43e6f8cb0: 00007ff7cb28a7bb (tap_cas_to_wav_size(unsigned char const*, int)+0x003b)
  000000f43e6f8e30: 00007ff7cdea40db (cassette_image::legacy_construct(cassette_image::LegacyWaveFiller const*)+0x024b)
  000000f43e6f8ec0: 00007ff7cdea193c (cassette_image::open_choices(std::unique_ptr<util::random_read_write, std::default_delete<util::random_read_write> >&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, cassette_image::Format const* const*, int, std::unique_ptr<cassette_image, std::default_delete<cassette_image> >&)+0x010c)
  000000f43e6f8fd0: 00007ff7cac69f22 (cassette_image_device::internal_load(bool)+0x00c2)
  000000f43e6f9040: 00007ff7cac6a5e5 (non-virtual thunk to cassette_image_device::call_load[abi:cxx11]()+0x0035)
  000000f43e6f90f0: 00007ff7caca363e (device_image_interface::finish_load[abi:cxx11]()+0x026e)
  000000f43e6f9210: 00007ff7cdc9b6fb (image_manager::postdevice_init()+0x017b)
  000000f43e6f9240: 00007ff7d50950c2 (luaopen_lfs+0x2709222)
  000000f43e6f9380: 00007ff7ca9a3dc8 (device_t::start()+0x0698)
  000000f43e6f94d0: 00007ff7cab36d9a (running_machine::start_all_devices()+0x014a)
  000000f43e6f95f0: 00007ff7cab3ae31 (running_machine::start()+0x0a91)
  000000f43e6f9770: 00007ff7cab3e3dc (running_machine::run(bool)+0x00cc)
  000000f43e6fed90: 00007ff7cdc6d15c (mame_machine_manager::execute()+0x024c)
  000000f43e6ff180: 00007ff7d195d49a (cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&)+0x03ea)
  000000f43e6ff490: 00007ff7d195daca (cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x007a)
  000000f43e6ff4f0: 00007ff7cdc67f07 (emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&)+0x0027)
  000000f43e6ff8c0: 00007ff7d35e6141 (luaopen_lfs+0xc5a2a1)
  000000f43e6ff910: 00007ff7c6de12ee (__tmainCRTStartup+0x016e)
  000000f43e6ff940: 00007ff7c6de1406 (mainCRTStartup+0x0016)
  000000f43e6ff970: 00007ffd2c997374 (BaseThreadInitThunk+0x0014)
  000000f43e6ff9f0: 00007ffd2cadcc91 (RtlUserThreadStart+0x0021)
Github Commit
Flags
Regression Version
Affected Sets / Systems spec128
Attached Files
zip file icon Spec128 crashers.zip (298,745 bytes) Nov 5, 2024, 14:53 Uploaded by Robbbert
Relationships
There are no relationship linked to this issue.
Notes
3
User avatar
No.22410
Robbbert
Moderator
Nov 5, 2024, 14:54
I've barely begun the testing of spectrum tapes, so I'd expect there will be many more crashes encountered.
User avatar
No.22438
Robbbert
Moderator
24 days ago
I did a little investigation without finding a definite answer.

It does look like a buffer overflow for the variable "buffer", but I was not able to find where this variable is declared or how much memory is allocated to it.
User avatar
No.22517
holub
Tester
4 days ago
edited on: 4 days ago
The overflow caused by invalid wav samples buffer calculations.
https://github.com/mamedev/mame/blob/master/src/lib/formats/cassimg.cpp#L849
Changing this to `samples.resize(sample_count * 2);` allows tapes to load but as value is not precise, UI keep showing tape loading after it finished.