Possible NULL deref in pokemon emerald

[michelhe]

When logging invalid memory writes I noticed pokemon emerald tries to read from a NULL pointer during the fade out animation in the naming screen (right after the players confirm their name)

The problematic function is called GetTextCaretPosition, and this is the instruction that loads the global pointer gNamingScreenData

080e4a46 04 68           ldr        r4,[r0,#0x0]=>gNamingScreenData                  = ??

gNamingScreenData is set to NULL when waiting for the fade to finish in the following function

static bool8 MainState_WaitFadeOutAndExit(void)
{
    if (!gPaletteFade.active)
    {
        if (gNamingScreenData->templateNum == NAMING_SCREEN_PLAYER)
            SeedRngAndSetTrainerId();
        SetMainCallback2(gNamingScreenData->returnCallback);
        DestroyTask(FindTaskIdByFunc(sub_80E31B0));
        FreeAllWindowBuffers();
        FREE_AND_SET_NULL(gNamingScreenData);
    }
    return FALSE;
}

But for some reason GetTextCaretPosition still gets called every frame causing this NULL deref.

Possibly a real bug in the game itself?

[michelhe]

Confirmed this bug with no$gba
It happens just as the screen is about to be swapped.
As you can see, R4 is NULL and was used to calculate R1.

This causes a read into the bios address space, which returns the last executed bios opcode as documented in GBATEK. (See R1 in the above image, this is a LDR PC, [LR,#-2]
My emulator does not emulate this behavior but it does not matter for the scope of this bug.