RTC-3057 - Some sounds do not play

Post by **Player701** » Fri Dec 04, 2020 2:36 am

This bug is ancient.The last version where it's not present is 1.5.06. It's been present in all versions starting from 1.6.0. It may or may not be related to this bug, although from the looks of it this appears to be a completely separate issue.

Some of the sounds in RTC-3057 do not play while in-game. This is not an audio/music bug because the playsound console command can play these sounds just fine. An example of the sound that doesn't play: MDTTHCBO (it's both the lump name and the logical name). To reproduce, use the following command-line parameters:

Code: Select all

gzdoom -iwad doom2 -file 3057hub1.wad -nomonsters -warp 3 +"warp -1192 541"

Use the recess in the wall in front of you. In GZDoom 1.5.06 and below, you will hear a voice saying that doors to the hangar cannot be operated. In GZDoom 1.6.0 and above, you will not hear anything at all. But issue the console command "playsound MDTTHCBO", and you will hear it. There's something strange going on here.

Post by **Player701** » Fri Dec 04, 2020 8:52 am

This is extremely weird, and definitely not the same as the music bug. It could be a bug in the ACS VM.

In the above test case, the value returned by FBehavior::LookupString is "tthcbo", while the correct value should be "mdtthcbo". The string "tthcbo" without the "md" prefix is not present anywhere in the WAD.

Upd: jspenguin's listacs v0.4 lists the correct value of "mdtthcbo" in the string table of the BEHAVIOR lump for MAP03, so this is almost surely a GZDoom bug.

Post by **Player701** » Fri Dec 04, 2020 10:16 am

OK, so I've investigated this a little further, and the problem is in the strbin function, which is called from FBehavior::UnescapeStringTable.

Some of the strings in this PWAD's BEHAVIOR lumps end with a backslash. This causes strbin to treat the following null character not as the string terminator but as part of an escape sequence. As a result, it corrupts the data that follows, which in this case is the next string in the table. If it happens to be the name of a sound, it gets invalidated, and the proper sound no longer plays.

Here's an example consisting of a part of the real data before and after calling strbin. Non-printable characters are represented with the ^ symbol:

Code: Select all

Doors to the hangar can not be operated while hangar doors open!\n\^mdtthcbo^
Doors to the hangar can not be operated while hangar doors open!^^mdttdcbo^o^

Because the indices in the string table do not change, "mdtthcbo" becomes "tthcbo", while the previous string is not affected at all. To fix this, strbin needs to know where the string actually ends (we do know where the next one starts, so we surely do have this information... right?). It is notable that there doesn't seem to be an UnescapeStringTable method in older source archives. Instead, strbin is called directly from the VM code before printing the string to the screen. It is not used anywhere else. Since the data is not modified in-place, the bug does not occur, though it is quite likely that a buffer overflow occurs instead.

Post by **Graf Zahl** » Fri Dec 04, 2020 10:25 am

strbin was one of the lousiest hacks ever done, because it is destructive and made the bogus assumption that the resulting string is always shorter than the source version. This better use strbin1 which prints to an external buffer.

Post by **Graf Zahl** » Fri Dec 11, 2020 4:22 am

fixed.

Post by **Player701** » Fri Dec 11, 2020 5:37 am

Thanks a lot!

ZDoom