From 05577376d95da42fe8cf3bb465ec4c628edb4ad7 Mon Sep 17 00:00:00 2001 From: tma Date: Mon, 19 Oct 2009 23:01:00 +0000 Subject: * (bug #4249) Fix buffer overflow in x86 VM git-svn-id: svn://svn.icculus.org/quake3/trunk@1687 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/qcommon/vm_x86.c | 48 +++++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/code/qcommon/vm_x86.c b/code/qcommon/vm_x86.c index 3dccd3f..00b5f54 100644 --- a/code/qcommon/vm_x86.c +++ b/code/qcommon/vm_x86.c @@ -405,6 +405,15 @@ qboolean EmitMovEBXEDI(vm_t *vm, int andit) { return qfalse; } +#define JUSED(x) \ + do { \ + if (x < 0 || x >= jusedSize) { \ + Com_Error( ERR_DROP, \ + "VM_CompileX86: jump target out of range at offset %d", pc ); \ + } \ + jused[x] = 1; \ + } while(0) + /* ================= VM_Compile @@ -416,13 +425,14 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { int v; int i; qboolean opt; + int jusedSize = header->instructionCount + 2; // allocate a very large temp buffer, we will shrink it later maxLength = header->codeLength * 8; buf = Z_Malloc( maxLength ); - jused = Z_Malloc(header->instructionCount + 2 ); + jused = Z_Malloc(jusedSize); - Com_Memset(jused, 0, header->instructionCount+2); + Com_Memset(jused, 0, jusedSize); // ensure that the optimisation pass knows about all the jump // table targets @@ -563,7 +573,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { lastConst = Constant4(); Emit4( lastConst ); if (code[pc] == OP_JUMP) { - jused[lastConst] = 1; + JUSED(lastConst); } break; case OP_LOCAL: @@ -729,7 +739,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "75 06" ); // jne +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_NE: @@ -739,7 +749,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "74 06" ); // je +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LTI: @@ -749,7 +759,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "7D 06" ); // jnl +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LEI: @@ -759,7 +769,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "7F 06" ); // jnle +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GTI: @@ -769,7 +779,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "7E 06" ); // jng +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GEI: @@ -779,7 +789,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "7C 06" ); // jnge +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LTU: @@ -789,7 +799,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "73 06" ); // jnb +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LEU: @@ -799,7 +809,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "77 06" ); // jnbe +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GTU: @@ -809,7 +819,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "76 06" ); // jna +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GEU: @@ -819,7 +829,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "72 06" ); // jnae +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_EQF: @@ -831,7 +841,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "74 06" ); // je +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_NEF: @@ -843,7 +853,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "75 06" ); // jne +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LTF: @@ -855,7 +865,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "74 06" ); // je +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_LEF: @@ -867,7 +877,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "74 06" ); // je +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GTF: @@ -879,7 +889,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "75 06" ); // jne +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_GEF: @@ -891,7 +901,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) { EmitString( "75 06" ); // jne +6 EmitString( "FF 25" ); // jmp [0x12345678] v = Constant4(); - jused[v] = 1; + JUSED(v); Emit4( (int)vm->instructionPointers + v*4 ); break; case OP_NEGI: -- cgit v1.2.3