I got two segfaults in powermanga 0.90-dfsg-2 today,
on amd64.  For the second of them, I had gdb waiting.
I don't have exact symbols but the crash appears
to be a null pointer dereference in shot_display():
bullet->spr.trajectory is 1 (homing),
and bullet->img_old_angle and bullet->spr.numof_images
are both 32; that means bullet->img_old_angle
is out of range.  The function then dereferences
bullet->spr.img[bullet->img_old_angle], which is NULL.

In shot_display(), there is code that tries to keep
bullet->img_angle within range.  I suppose the
bullet->img_old_angle assignment should be moved below that.
(I think the crash in the coordinate calculation could
alternatively be fixed by using bullet->img_angle there
instead of img_old_angle, but the out-of-range value
would then just cause a similar crash elsewhere.)

While looking at this, I found some suspicious code in
shots_handle() too.  Namely, there is one place where
it calls shot_delete and then decrements i.  It seems
this could cause it to run past the end of the linked list.

Attachment: pgpXnd2Com8Nr.pgp
Description: PGP signature

Reply via email to