ZDoom

Posted: **Sat Aug 13, 2016 4:23 pm**

EDIT: Bugfix PR.

Download the test.pk3 attached. Give SMM in console. A few seconds later, crash.

Posted: **Sat Aug 13, 2016 4:37 pm**

it would be interesting to know what are the values of 'type' and, if it's not null, 'i' and 'type->Slot'..

Posted: **Mon Aug 15, 2016 8:41 am**

I have managed to reproduce it on a much simpler scale. Attached in the first post is a test example.

"Give SMM" in console. Don't mind the fact that you cannot move.

A couple seconds later, the game crashes from the morph expiring.

Posted: **Mon Aug 15, 2016 9:02 am**

Still very much 'ugh'.
For some reason it encounters a player class object that isn't fully initialized and crashes on the garbage data.
The big problem is, that cause and effect are in completely separate parts of the code.

Posted: **Mon Aug 15, 2016 12:31 pm**

Youch. Yeah, it is weird when it happens especially because the player's view is just outside of the actor. Hmmm...

Posted: **Mon Aug 15, 2016 3:30 pm**

Regarding the original problem, I got this asan error with the wad:

Spoiler:

Code: Select all

==1759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00022cd38 at pc 0x000000d44c4d bp 0x7fffffffc0b0 sp 0x7fffffffc0a0
READ of size 8 at 0x61a00022cd38 thread T0
    #0 0xd44c4c in P_UndoPlayerMorph(player_t*, player_t*, int, bool) /home/edward-san/zdoom/trunk/src/g_shared/a_morph.cpp:256
    #1 0xd2fc44 in APowerMorph::EndEffect() /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:1972
    #2 0xd26d3f in APowerup::Destroy() /home/edward-san/zdoom/trunk/src/g_shared/a_artifacts.cpp:227
    #3 0xd53e74 in AInventory::DepleteOrDestroy() /home/edward-san/zdoom/trunk/src/g_shared/a_pickups.cpp:1238
    #4 0xa76a7f in AActor::TakeInventory(PClassActor*, int, bool, bool) /home/edward-san/zdoom/trunk/src/p_mobj.cpp:725
    #5 0x909398 in cht_Take(player_t*, char const*, int) /home/edward-san/zdoom/trunk/src/m_cheat.cpp:1000
    #6 0x850761 in Net_DoCommand(int, unsigned char**, int) /home/edward-san/zdoom/trunk/src/d_net.cpp:2199
    #7 0x861a63 in RunNetSpecs(int, int) /home/edward-san/zdoom/trunk/src/d_protocol.cpp:460
    #8 0x8ba33b in G_Ticker() /home/edward-san/zdoom/trunk/src/g_game.cpp:1150
    #9 0x84ecf1 in TryRunTics() /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
    #10 0x83ae41 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
    #11 0x842043 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
    #12 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
    #13 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x58cdf8 in _start (/home/edward-san/zdoom/trunk/debug_san/zdoom+0x58cdf8)

0x61a00022cd38 is located 16 bytes to the right of 1192-byte region [0x61a00022c880,0x61a00022cd28)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x901a38 in M_Malloc_Dbg(unsigned long, char const*, int) /home/edward-san/zdoom/trunk/src/m_alloc.cpp:135
    #2 0x87f5ad in PClass::CreateNew() const /home/edward-san/zdoom/trunk/src/dobjtype.cpp:3130
    #3 0xa8d7ae in AActor::StaticSpawn(PClassActor*, TVector3<double> const&, replace_t, bool) /home/edward-san/zdoom/trunk/src/p_mobj.cpp:4066
    #4 0x82a5e5 in Spawn(PClassActor*, TVector3<double> const&, replace_t) /home/edward-san/zdoom/trunk/src/./actor.h:1460
    #5 0xeba795 in AF_A_SpawnItemEx /home/edward-san/zdoom/trunk/src/thingdef/thingdef_codeptr.cpp:2986
    #6 0xfd596c in VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:496
    #7 0x10190eb in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/trunk/src/zscript/vmframe.cpp:392
    #8 0x8f575f in FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**) /home/edward-san/zdoom/trunk/src/info.cpp:95
    #9 0xaa7e74 in DPSprite::SetState(FState*, bool) /home/edward-san/zdoom/trunk/src/p_pspr.cpp:339
    #10 0xab5d64 in DPSprite::Tick() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1438
    #11 0xab5954 in player_t::TickPSprites() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1392
    #12 0xb5952f in P_PlayerThink(player_t*) /home/edward-san/zdoom/trunk/src/p_user.cpp:2647
    #13 0xb23639 in P_Ticker() /home/edward-san/zdoom/trunk/src/p_tick.cpp:125
    #14 0x8baba5 in G_Ticker() /home/edward-san/zdoom/trunk/src/g_game.cpp:1201
    #15 0x84ecf1 in TryRunTics() /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
    #16 0x83ae41 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
    #17 0x842043 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
    #18 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
    #19 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/edward-san/zdoom/trunk/src/g_shared/a_morph.cpp:256 P_UndoPlayerMorph(player_t*, player_t*, int, bool)
Shadow bytes around the buggy address:
  0x0c348003d950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c348003d9a0: 00 00 00 00 00 fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c348003d9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c348003d9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c348003d9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003d9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==1759==ABORTING

and this is gdb backtrace:

Spoiler:

Incidentally, I got another asan error when I just got the morphing item and then directly removed the powerup (no camera switch):

Spoiler:

Code: Select all

==1790==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00021bae4 at pc 0x000000fc6c58 bp 0x7fffffffbd20 sp 0x7fffffffbd10
READ of size 4 at 0x61a00021bae4 thread T0
    #0 0xfc6c57 in VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int) /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:110
    #1 0x10190eb in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/trunk/src/zscript/vmframe.cpp:392
    #2 0x8f57df in FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**) /home/edward-san/zdoom/trunk/src/info.cpp:101
    #3 0xaa7e74 in DPSprite::SetState(FState*, bool) /home/edward-san/zdoom/trunk/src/p_pspr.cpp:339
    #4 0xab5d64 in DPSprite::Tick() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1438
    #5 0xab5954 in player_t::TickPSprites() /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1392
    #6 0xb5952f in P_PlayerThink(player_t*) /home/edward-san/zdoom/trunk/src/p_user.cpp:2647
    #7 0xb23639 in P_Ticker() /home/edward-san/zdoom/trunk/src/p_tick.cpp:125
    #8 0x8baba5 in G_Ticker() /home/edward-san/zdoom/trunk/src/g_game.cpp:1201
    #9 0x84ecf1 in TryRunTics() /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
    #10 0x83ae41 in D_DoomLoop() /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
    #11 0x842043 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
    #12 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
    #13 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x58cdf8 in _start (/home/edward-san/zdoom/trunk/debug_san/zdoom+0x58cdf8)

0x61a00021bae4 is located 100 bytes inside of 1344-byte region [0x61a00021ba80,0x61a00021bfc0)
freed by thread T0 here:
    #0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x901b14 in M_Realloc_Dbg(void*, unsigned long, char const*, int) /home/edward-san/zdoom/trunk/src/m_alloc.cpp:150
    #2 0xb6ad7a in TArray<FParseSymbol, FParseSymbol>::DoResize() /home/edward-san/zdoom/trunk/src/tarray.h:429
    #3 0xb6acd7 in TArray<FParseSymbol, FParseSymbol>::Grow(unsigned int) /home/edward-san/zdoom/trunk/src/tarray.h:353
    #4 0xb6a8a6 in TArray<FParseSymbol, FParseSymbol>::Push(FParseSymbol const&) /home/edward-san/zdoom/trunk/src/tarray.h:247
    #5 0xb67e65 in FParseContext::AddSym(char*, int) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:54
    #6 0xf66c46 in yy_reduce /home/edward-san/zdoom/trunk/src/xlat/xlat_parser.y:82
    #7 0xf6a915 in XlatParse(void*, int, FParseToken, FParseContext*) /home/edward-san/zdoom/trunk/debug_san/src/xlat_parser.c:1805
    #8 0xb6a71e in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:349
    #9 0xb6a683 in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:345
    #10 0xb6a683 in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:345
    #11 0xf6aeb2 in P_LoadTranslator(char const*) /home/edward-san/zdoom/trunk/src/xlat/parse_xlat.cpp:193
    #12 0xae2d4e in P_SetupLevel(char const*, int) /home/edward-san/zdoom/trunk/src/p_setup.cpp:3724
    #13 0x8cac9c in G_DoLoadLevel(int, bool) /home/edward-san/zdoom/trunk/src/g_level.cpp:972
    #14 0x8c8458 in G_InitNew(char const*, bool) /home/edward-san/zdoom/trunk/src/g_level.cpp:509
    #15 0x841ed5 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2614
    #16 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
    #17 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x901b14 in M_Realloc_Dbg(void*, unsigned long, char const*, int) /home/edward-san/zdoom/trunk/src/m_alloc.cpp:150
    #2 0xb6ad7a in TArray<FParseSymbol, FParseSymbol>::DoResize() /home/edward-san/zdoom/trunk/src/tarray.h:429
    #3 0xb6acd7 in TArray<FParseSymbol, FParseSymbol>::Grow(unsigned int) /home/edward-san/zdoom/trunk/src/tarray.h:353
    #4 0xb6a8a6 in TArray<FParseSymbol, FParseSymbol>::Push(FParseSymbol const&) /home/edward-san/zdoom/trunk/src/tarray.h:247
    #5 0xb67e65 in FParseContext::AddSym(char*, int) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:54
    #6 0xf66bde in yy_reduce /home/edward-san/zdoom/trunk/src/xlat/xlat_parser.y:77
    #7 0xf6a915 in XlatParse(void*, int, FParseToken, FParseContext*) /home/edward-san/zdoom/trunk/debug_san/src/xlat_parser.c:1805
    #8 0xb6a71e in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:349
    #9 0xb6a683 in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:345
    #10 0xb6a683 in FParseContext::ParseLump(char const*) /home/edward-san/zdoom/trunk/src/parsecontext.cpp:345
    #11 0xf6aeb2 in P_LoadTranslator(char const*) /home/edward-san/zdoom/trunk/src/xlat/parse_xlat.cpp:193
    #12 0xae2d4e in P_SetupLevel(char const*, int) /home/edward-san/zdoom/trunk/src/p_setup.cpp:3724
    #13 0x8cac9c in G_DoLoadLevel(int, bool) /home/edward-san/zdoom/trunk/src/g_level.cpp:972
    #14 0x8c8458 in G_InitNew(char const*, bool) /home/edward-san/zdoom/trunk/src/g_level.cpp:509
    #15 0x841ed5 in D_DoomMain() /home/edward-san/zdoom/trunk/src/d_main.cpp:2614
    #16 0x59ba05 in main /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317
    #17 0x7ffff3be782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:110 VMExec_Checked::Exec(VMFrameStack*, VMOP const*, VMReturn*, int)
Shadow bytes around the buggy address:
  0x0c348003b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003b710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003b720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c348003b730: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c348003b740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c348003b750: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c348003b760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348003b770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348003b780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348003b790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c348003b7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==1790==ABORTING

and this is the backtrace from gdb:

Spoiler:

Code: Select all

#2  0x0000000000fc6c58 in VMExec_Checked::Exec (
    stack=0x17aa860 <FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**)::stack>, pc=0x61d0001a9af8, ret=0x7fffffffc530, numret=1)
    at /home/edward-san/zdoom/trunk/src/zscript/vmexec.h:110
#3  0x00000000010190ec in VMFrameStack::Call (
    this=0x17aa860 <FState::CallAction(AActor*, AActor*, FStateParamInfo*, FState**)::stack>, func=0x60c00031cb40, params=0x7fffffffc570, numparams=3, 
    results=0x7fffffffc530, numresults=1, trap=0x0)
    at /home/edward-san/zdoom/trunk/src/zscript/vmframe.cpp:392
#4  0x00000000008f57e0 in FState::CallAction (this=0x6270000d9150, 
    self=0x61a00021b480, stateowner=0x61a00021b480, info=0x7fffffffc690, 
    stateret=0x7fffffffc650) at /home/edward-san/zdoom/trunk/src/info.cpp:101
#5  0x0000000000aa7e75 in DPSprite::SetState (this=0x60d000046660, 
    newstate=0x6270000d9150, pending=false)
    at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:339
#6  0x0000000000ab5d65 in DPSprite::Tick (this=0x60d000046660)
    at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1438
#7  0x0000000000ab5955 in player_t::TickPSprites (this=0x17a4040 <players>)
    at /home/edward-san/zdoom/trunk/src/p_pspr.cpp:1392
---Type <return> to continue, or q <return> to quit---
#8  0x0000000000b59530 in P_PlayerThink (player=0x17a4040 <players>)
    at /home/edward-san/zdoom/trunk/src/p_user.cpp:2647
#9  0x0000000000b2363a in P_Ticker ()
    at /home/edward-san/zdoom/trunk/src/p_tick.cpp:125
#10 0x00000000008baba6 in G_Ticker ()
    at /home/edward-san/zdoom/trunk/src/g_game.cpp:1201
#11 0x000000000084ecf2 in TryRunTics ()
    at /home/edward-san/zdoom/trunk/src/d_net.cpp:1945
#12 0x000000000083ae42 in D_DoomLoop ()
    at /home/edward-san/zdoom/trunk/src/d_main.cpp:1011
#13 0x0000000000842044 in D_DoomMain ()
    at /home/edward-san/zdoom/trunk/src/d_main.cpp:2644
#14 0x000000000059ba06 in main (argc=11, argv=0x7fffffffde58)
    at /home/edward-san/zdoom/trunk/src/posix/sdl/i_main.cpp:317

with these messages from the log before the crash:

Code: Select all

user_lastHP is not a user variable in class DoomPlayer
user_camang is not a user variable in class DoomPlayer
user_dirget is not a user variable in class DoomPlayer
user_dirforward is not a user variable in class DoomPlayer
user_dirside is not a user variable in class DoomPlayer

I wonder what's going on...

Posted: **Mon Aug 15, 2016 3:35 pm**

Try the new test.pk3.

Now, if you're wondering, overlays are not cleared when unmorphing. Something I told Leonard about but he said they'll be fixed when Actor Overlays are implemented, he said. But as you can see from the new test.pk3, there's no overlays at all.

Posted: **Mon Aug 15, 2016 4:00 pm**

urgh please use a different name to the wad instead of the repetitive 'test'. Anyways, I see no change either in gdb and asan output.

Posted: **Sun Aug 21, 2016 7:21 am**

Meh.

Anyway, anything else I can try to do for this? Or is this something randi has to look into?

Posted: **Sun Aug 21, 2016 1:28 pm**

Can you add a test wad which does just morph and unmorph? In a post above, I mentioned a problem with those steps and would like to check it again.

Posted: **Thu Aug 25, 2016 12:34 pm**

Okay, first post updated. User variables removed.

Posted: **Wed Aug 31, 2016 2:35 pm**

It seems that this line in decorate.txt:

Code: Select all

			A_SpawnItemEx("ChaseCam",-10,0,32,0,0,0,0,SXF_NOCHECKPOSITION|SXF_SETMASTER|SXF_ISTRACER,0,32700);

makes sure that the morphed actor's tracer, which points to the actor before morphing, is overridden with the camera:

Code: Select all

	if (flags & SIXF_ISTRACER)
	{
		self->tracer = mo;
	}

from InitSpawnedItem, called by A_SpawnItemEx.

The old actor's information is lost, making the program crash when attempting to unmorph, because it's trying to get the player's info from invalid actor.

In order to fix this, I suspect the old actor pointer should be stored in a different place than the 'tracer'. Graf?

Posted: **Wed Aug 31, 2016 2:44 pm**

I tested it again just to make sure:

Code: Select all

	Spawn:
		PLAY A 95 NoDelay
		{
			SetPlayerProperty(0,1,PROP_TOTALLYFROZEN);
			A_PrintBold("Camera On");
			A_SpawnItemEx("ChaseCam",-10,0,32,0,0,0,0,SXF_NOCHECKPOSITION|SXF_SETMASTER|SXF_ISTRACER,0,32700);
			ChangeCamera(32700,0,0);
		}
		PLAY A 0
		{
			A_RemoveChildren(true,RMVF_EVERYTHING,"ChaseCam");
		}

This doesn't crash, backing up Edward's words possibly.

Posted: **Wed Aug 31, 2016 2:49 pm**

Edward-san wrote: In order to fix this, I suspect the old actor pointer should be stored in a different place than the 'tracer'. Graf?

Correct. Since it's no longer safe to use tracer for this, a different variable is needed.

Posted: **Wed Aug 31, 2016 2:53 pm**

I hope there's nothing which (ab)used the morphed tracer data...

ZDoom

[Fix inside]Camera + Morph = Crash

[Fix inside]Camera + Morph = Crash

Re: Odd unmorph crashing bug

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash

Re: Camera + Morph = Crash