Client crash in calc_bbox() bbox_tree.c on map change

[bluap]

I've not had any client crashes for, well, a long time but had two tonight in quick succession. Both on map changes. I had enabled labrat's custom clothing server for the first time ever to see what all the discussion was about. I'm not saying it was anything to do with that but after restarting without using labrat's server, I had no further crashes.

 

Here's the gdb stack trace, obviously, the null pointer reference is the cause of the crash but I would need to investigate much more to understand exactly where that came from. Anyone who knows that code better have any thoughts?

 

(gdb) bt full
#0  0xb76c4896 in memcpy () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1  0xbfd6fb10 in ?? ()
No symbol table info available.
#2  0x0806da50 in calc_bbox (bbox=0x0, bbox_tree=0xa138f00, first=0, 
last=36931) at bbox_tree.c:706
i = 36931
bmin = {-728.901367, -734.473206, -900.545654}
bmax = {1213.45813, 1117.01855, 906.545654}
#3  0x0806d4a9 in sort_and_split (bbox_tree=0xa138f00, node=0, 
index=0xbfd6f930, first=0, last=36931) at bbox_tree.c:765
size = 36931
i = 36930
j = 0
axis = {0, 1, 2}
best_loc = 84
area_left = (float *) 0xbfb412a8
area_right = (float *) 0xbfb653b8
best_index = 8.4182578e+11
new_index = 2.39999736e+14
#4  0x0806d267 in init_bbox_tree (bbox_tree=0xa138f00, bbox_items=0x9fe00500)
at bbox_tree.c:812
size = 36931
index = 1
#5  0x080c1890 in load_map (file_name=0xbfd71d9c "./maps/map2.elm", 
update_function=0x80d48dd <updat_func>) at io/map_io.c:460
i = 26
cur_tile = 7
j = 128
bbox = {bbmin = {381, 381, 0}, bbmax = {584, 584, 0}}
cur_map_header = {file_sig = "elmf", tile_map_x_len = 128, 
 tile_map_y_len = 128, tile_map_offset = 124, height_map_offset = 16508, 
 obj_3d_struct_len = 144, obj_3d_no = 12069, obj_3d_offset = 606332, 
 obj_2d_struct_len = 128, obj_2d_no = 8630, obj_2d_offset = 2344268, 
 lights_struct_len = 40, lights_no = 55, lights_offset = 3448908, 
 dungeon = 0 '\0', res_2 = 1 '\001', res_3 = 0 '\0', res_4 = 0 '\0', 
 ambient_r = 0, ambient_g = 0, ambient_b = 0, particles_struct_len = 104, 
 particles_no = 26, particles_offset = 3451108, clusters_offset = 3453812, 
 version_number = 0, terrain_offset = 0, reserved_11 = 0, reserved_12 = 0, 
 reserved_13 = 0, reserved_14 = 0, reserved_15 = 0, reserved_16 = 0, 
 reserved_17 = 0}
file_size = 4633460
file_mem = 0x97ab008 <Address 0x97ab008 out of bounds>
occupied = 0x0
have_clusters = 1
objs_3d = (object3d_io *) 0x983f084
objs_2d = (obj_2d_io *) 0x99e7554
lights = (light_io *) 0x9af5054
particles = (particles_io *) 0x9af58ec
f = (el_file_ptr) 0x9fe00500
#6  0x080d491b in el_load_map (file_name=0xbfd71d9c "./maps/map2.elm")
at map.c:197
ret = 2
#7  0x080d4af7 in change_map (mapname=0xbfd71d9c "./maps/map2.elm")
at map.c:255
No locals.
#8  0x080df2f2 in process_message_from_server (in_data=0x9fe004e8 "\a\021", 
data_length=19) at multiplayer.c:820
mapname = "./maps/map2.elm\000\000\000\000\000\b\ufffd|\ufffd\b\ufffd|\ufffdX\204\ufffd\t\ufffd[\234\ufffd\000\ufffd\206\ufffd\000\000\000\000\000\000\000\000\001\000\000\000Q\ufffdk\ufffd\000\000\000\000X\204\ufffd\tQ\ufffdp\ufffd\220~\v\ufffd", '\0' <repeats 12 times>, "\b\ufffd|\ufffd\ufffdu\ufffd\t\000\ufffd\206\ufffdX\ufffd\221\ufffd\001\000\000\000\001\000\000\000\ufffd\035\210\ufffd'\ufffd\233\ufffd\ufffd\035\210\ufffd0\000\000\000M\000\000\000\ufffd\226q\ufffd\001\ufffd\ufffd\017\000\000\000\000\001\002\ufffd\ufffd\000\000\000\000\000\000\020\000d\ufffd|\ufffd\177\017\177\003Q\ufffdp\ufffd\220~\v\ufffd\000\ufffd\206\ufffd\000\ufffd\206\ufffd\000\000\000\000\b\ufffd|\ufffd\ufffdh\ufffd\t\000\ufffd\206\ufffdX\ufffd\221\ufffd\001\000\000\000\001\000"...
text_buf = "\177You stopped harvesting.\000oaded.\000> pm me\000who lost 10 health\000uoises or trade other stuff like rosto, iron, silver etc. too (offer), small amounts/orders welcome! Pm me pls.\000, so the UV rays and the sola"...
#9  0x080d2970 in start_rendering () at main.c:166
message = (message_t *) 0x9fe00660
event = {type = 24 '\030', active = {type = 24 '\030', gain = 228 '\ufffd', 
state = 115 's'}, key = {type = 24 '\030', which = 228 '\ufffd', 
state = 115 's', keysym = {scancode = 1 '\001', sym = 3085991924, 
  mod = 2737947336, unicode = 47873}}, motion = {type = 24 '\030', 
which = 228 '\ufffd', state = 115 's', x = 1, y = 0, xrel = 32756, 
yrel = -18448}, button = {type = 24 '\030', which = 228 '\ufffd', 
button = 115 's', state = 183 '\ufffd', x = 1, y = 0}, jaxis = {
type = 24 '\030', which = 228 '\ufffd', axis = 115 's', value = 1}, jball = {
type = 24 '\030', which = 228 '\ufffd', ball = 115 's', xrel = 1, yrel = 0}, 
 jhat = {type = 24 '\030', which = 228 '\ufffd', hat = 115 's', value = 183 '\ufffd'}, 
 jbutton = {type = 24 '\030', which = 228 '\ufffd', button = 115 's', 
state = 183 '\ufffd'}, resize = {type = 24 '\030', w = 1, h = -1208975372}, 
 expose = {type = 24 '\030'}, quit = {type = 24 '\030'}, user = {
type = 24 '\030', code = 1, data1 = 0xb7f07ff4, data2 = 0xa331c2c8}, 
 syswm = {type = 24 '\030', msg = 0x1}}
network_thread = (SDL_Thread *) 0xf70acd8
message_queue = (queue_t *) 0xf6c75b0
done = 0
network_thread_data = {0xf6c75b0, 0x84364e0}
last_frame_and_command_update = 1219059
#10 0x080d2e85 in main (argc=1, argv=0xbfd722a4) at main.c:344
No locals.