search

AgonConsole8 / agon-vdp

Official Firmware for the Agon Console8: ESP32 VDP
MIT License
38 stars 13 forks source link

Calling a buffer with an incomplete command in it crashes the VDP #241

Open jblang opened 1 month ago

jblang commented 1 month ago

Calling a buffer with an incomplete command in it crashes the VDP.

You can reproduce this using the following BBCBASIC program:

10 VDU 23, 0, &A0, 0; 2 : REM Clear Buffer 0
20 VDU 23, 0, &A0, 0; 0, 8; : REM Write 8 bytes to buffer 0
30 VDU 23, 0, &A0, 1; 72, &11, 2 : REM Contents to send to buffer 0 (incomplete expand bitmap command)
40 VDU 23, 0, &A0, 0; 1 : REM Call the buffer with the incomplete command

On line 30, I sent an incomplete bitmap expand sequence as the contents of buffer 0. I suspect this will happen with any incomplete command, but I haven't confirmed that.

The VDP debug output is as follows:

bufferClear: buffer 0
bufferClear: buffer 0 not found
PSRAM Array Request for 40 bytes
                                PSRAM Array Request for 8 bytes
                                                               bufferWrite: storing stream into buffer 0, length 8
bufferWrite: stored stream in buffer 0, length 8, 1 streams stored
bufferCall: buffer 0
PSRAM Array Request for 44 bytes
                                Guru Meditation Error: Core  0 panic'ed (LoadProhibited). Exception was unhandled.

Core  0 register dump:
PC      : 0x400d29b1  PS      : 0x00060730  A0      : 0x800d6499  A1      : 0x3ffdd960
A2      : 0x00000000  A3      : 0x4015c594  A4      : 0x00000008  A5      : 0x00000001
A6      : 0x007b833c  A7      : 0x003fffff  A8      : 0x00000001  A9      : 0x3ffddf20
A10     : 0x00000000  A11     : 0x00000008  A12     : 0x00000008  A13     : 0x00000001
A14     : 0x00060523  A15     : 0x00000001  SAR     : 0x00000018  EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000  LBEG    : 0x4009128d  LEND    : 0x4009129d  LCOUNT  : 0xfffffff7

Backtrace: 0x400d29ae:0x3ffdd960 0x400d6496:0x3ffdd980 0x40082062:0x3ffdd9a0 0x400e90d2:0x3ffdd9f0 0x400e97c2:0x3ffdda20 0x400e9c06:0x3ffdda50 0x400e9c72:0x3ffdda70 0x400e9e4d:0x3ffdda90 0x400820ae:0x3ffddae0 0x400e90d2:0x3ffddb30 0x400e97c2:0x3ffddb60 0x400e9c06:0x3ffddb90 0x400ea27e:0x3ffddbb0 0x400eb0fe:0x3ffddbd0

I'm not completely sure but this may only happen if the buffer ends in the middle of a word parameter. E.g., in my example, I have ended the buffer after providing only the first byte of a two byte buffer ID.

stevesims commented 1 month ago

this bug was caused by a missing check for the buffer block - which resulted in attempting to call read on a nullptr

a PR with a fix will come soon™