more security checks in interpreter (#4249)

code/qcommon/vm.c

@@ -245,7 +245,7 @@ void VM_LoadSymbols( vm_t *vm ) {
 		return;
 	}
 
-	numInstructions = vm->instructionPointersLength >> 2;
+	numInstructions = vm->instructionCount;
 
 	// parse the symbols
 	text_p = mapfile.c;
@@ -571,8 +571,8 @@ vm_t *VM_Create( const char *module, intptr_t (*systemCalls)(intptr_t *),
 	}
 
 	// allocate space for the jump targets, which will be filled in by the compile/prep functions
-	vm->instructionPointersLength = header->instructionCount * 4;
+	vm->instructionCount = header->instructionCount;
-	vm->instructionPointers = Hunk_Alloc( vm->instructionPointersLength, h_high );
+	vm->instructionPointers = Hunk_Alloc( vm->instructionCount*4, h_high );
 
 	// copy or compile the instructions
 	vm->codeLength = header->codeLength;
@@ -888,7 +888,7 @@ void VM_VmInfo_f( void ) {
 			Com_Printf( "interpreted\n" );
 		}
 		Com_Printf( "    code length : %7i\n", vm->codeLength );
-		Com_Printf( "    table length: %7i\n", vm->instructionPointersLength );
+		Com_Printf( "    table length: %7i\n", vm->instructionCount*4 );
 		Com_Printf( "    data length : %7i\n", vm->dataMask + 1 );
 	}
 }

code/qcommon/vm_interpreted.c

@@ -438,10 +438,10 @@ nextInstruction2:
 				Com_Error( ERR_DROP, "OP_LOAD4 misaligned" );
 			}
 #endif
-			r0 = *opStack = *(int *)&image[ r0&dataMask ];
+			r0 = *opStack = *(int *)&image[ r0&dataMask&~3 ];
 			goto nextInstruction2;
 		case OP_LOAD2:
-			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask ];
+			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask&~1 ];
 			goto nextInstruction2;
 		case OP_LOAD1:
 			r0 = *opStack = image[ r0&dataMask ];
@@ -462,7 +462,7 @@ nextInstruction2:
 
 		case OP_ARG:
 			// single byte offset from programStack
-			*(int *)&image[ codeImage[programCounter] + programStack ] = r0;
+			*(int *)&image[ (codeImage[programCounter] + programStack)&dataMask&~3 ] = r0;
 			opStack--;
 			programCounter += 1;
 			goto nextInstruction;
@@ -546,7 +546,7 @@ nextInstruction2:
 					Com_Printf( "%s<--- %s\n", DEBUGSTR, VM_ValueToSymbol( vm, programCounter ) );
 				}
 #endif
-			} else if ( (unsigned)programCounter >= vm->codeLength ) {
+			} else if ( (unsigned)programCounter >= vm->instructionCount ) {
 				Com_Error( ERR_DROP, "VM program counter out of range in OP_CALL" );
 			} else {
 				programCounter = vm->instructionPointers[ programCounter ];
@@ -615,8 +615,11 @@ nextInstruction2:
 		*/
 
 		case OP_JUMP:
-			programCounter = r0;
+			if ( (unsigned)r0 >= vm->instructionCount )
-			programCounter = vm->instructionPointers[ programCounter ];
+				Com_Error( ERR_DROP, "VM program counter out of range in OP_JUMP" );
+
+			programCounter = vm->instructionPointers[ r0 ];
+
 			opStack--;
 			goto nextInstruction;
 

code/qcommon/vm_local.h

@@ -154,7 +154,7 @@ struct vm_s {
 	int			codeLength;
 
 	int			*instructionPointers;
-	int			instructionPointersLength;
+	int			instructionCount;
 
 	byte		*dataBase;
 	int			dataMask;