aboutsummaryrefslogtreecommitdiffstats
path: root/code
diff options
context:
space:
mode:
authortma <tma@edf5b092-35ff-0310-97b2-ce42778d08ea>2009-10-19 23:01:00 +0000
committertma <tma@edf5b092-35ff-0310-97b2-ce42778d08ea>2009-10-19 23:01:00 +0000
commit05577376d95da42fe8cf3bb465ec4c628edb4ad7 (patch)
treec379290c4dfbd123455774bd560935dfe936a433 /code
parent473debef0e5c4229d9fdd5a7418e6e9bd7cdd51c (diff)
downloadioquake3-aero-05577376d95da42fe8cf3bb465ec4c628edb4ad7.tar.gz
ioquake3-aero-05577376d95da42fe8cf3bb465ec4c628edb4ad7.zip
* (bug #4249) Fix buffer overflow in x86 VM
git-svn-id: svn://svn.icculus.org/quake3/trunk@1687 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code')
-rw-r--r--code/qcommon/vm_x86.c48
1 files changed, 29 insertions, 19 deletions
diff --git a/code/qcommon/vm_x86.c b/code/qcommon/vm_x86.c
index 3dccd3f..00b5f54 100644
--- a/code/qcommon/vm_x86.c
+++ b/code/qcommon/vm_x86.c
@@ -405,6 +405,15 @@ qboolean EmitMovEBXEDI(vm_t *vm, int andit) {
return qfalse;
}
+#define JUSED(x) \
+ do { \
+ if (x < 0 || x >= jusedSize) { \
+ Com_Error( ERR_DROP, \
+ "VM_CompileX86: jump target out of range at offset %d", pc ); \
+ } \
+ jused[x] = 1; \
+ } while(0)
+
/*
=================
VM_Compile
@@ -416,13 +425,14 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
int v;
int i;
qboolean opt;
+ int jusedSize = header->instructionCount + 2;
// allocate a very large temp buffer, we will shrink it later
maxLength = header->codeLength * 8;
buf = Z_Malloc( maxLength );
- jused = Z_Malloc(header->instructionCount + 2 );
+ jused = Z_Malloc(jusedSize);
- Com_Memset(jused, 0, header->instructionCount+2);
+ Com_Memset(jused, 0, jusedSize);
// ensure that the optimisation pass knows about all the jump
// table targets
@@ -563,7 +573,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
lastConst = Constant4();
Emit4( lastConst );
if (code[pc] == OP_JUMP) {
- jused[lastConst] = 1;
+ JUSED(lastConst);
}
break;
case OP_LOCAL:
@@ -729,7 +739,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NE:
@@ -739,7 +749,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTI:
@@ -749,7 +759,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7D 06" ); // jnl +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEI:
@@ -759,7 +769,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7F 06" ); // jnle +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTI:
@@ -769,7 +779,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7E 06" ); // jng +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEI:
@@ -779,7 +789,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7C 06" ); // jnge +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTU:
@@ -789,7 +799,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "73 06" ); // jnb +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEU:
@@ -799,7 +809,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "77 06" ); // jnbe +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTU:
@@ -809,7 +819,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "76 06" ); // jna +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEU:
@@ -819,7 +829,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "72 06" ); // jnae +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_EQF:
@@ -831,7 +841,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEF:
@@ -843,7 +853,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTF:
@@ -855,7 +865,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEF:
@@ -867,7 +877,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTF:
@@ -879,7 +889,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEF:
@@ -891,7 +901,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEGI: