There is a an out-of-bounds access in digi_mixer_start_sound() when
soundnum is < 0. The bounds check I added here is already present in
digi_audio_start_sound().
This bug was triggered on the RPi d2x built when trying to show the
briefing screen because briefing_new_screen() tries to play
SOUND_BRIEFING_HUM, which digi_xlat_sound() translated to -1 in this
situation. The game finally crashed in mixdigi_convert_sound() because
GameSounds[-1] happened to contain some non-zero data (on my Linux desktop,
that memory seems to be always 0 by accident...). This was also the reason
why the pi version tried to allocate lots of memory before it crashed in
memcpy().
Kp already incorporated some small changes I made in my rpi branch into
unification/master. However, besides making the rpi helper functions
static as I did, he also changed the prototype from (void) parameters
to C++ style (). I've incorporated his version here.
Conflicts:
similar/arch/ogl/gr.cpp
Rebirth builds with -Werror=redundant-decls -Werror=undef, which are
triggered by the bcm_host.h. Making gcc treat those paths as
system headers avoids these issues. This was suggested by Kp.
If a sound is used, it may dereference Viewer. If Viewer is null, this
will crash. In 630f11945e,
digi_sync_sounds changed to assume Viewer is valid. This crashes during
early startup when not using the SDL_mixer backend, even though no
sounds are in use.
Reported-by: derhass <https://github.com/dxx-rebirth/dxx-rebirth/issues/45>
Fixes: 630f11945e ("Cache Viewer in digiobj")