ubergames/ioef
0
0
Fork 0
mirror of https://github.com/UberGames/ioef.git synced 2025-01-18 15:11:41 +00:00
Code Issues Projects Releases Packages Wiki Activity

* (bug #4249) Fix buffer overflow in x86 VM

Browse source
This commit is contained in:
Tim Angus 2009-10-19 23:01:00 +00:00
parent fd57c987c4
commit 5663ff1362
1 changed files with 29 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
code/qcommon/vm_x86.c
View file

@ -405,6 +405,15 @@ qboolean EmitMovEBXEDI(vm_t *vm, int andit) {
return qfalse;
}
#define JUSED(x) \
do { \
if (x < 0 || x >= jusedSize) { \
Com_Error( ERR_DROP, \
"VM_CompileX86: jump target out of range at offset %d", pc ); \
} \
jused[x] = 1; \
} while(0)
/*
=================
VM_Compile
@ -416,13 +425,14 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
int v;
int i;
qboolean opt;
int jusedSize = header->instructionCount + 2;
// allocate a very large temp buffer, we will shrink it later
maxLength = header->codeLength * 8;
buf = Z_Malloc( maxLength );
jused = Z_Malloc(header->instructionCount + 2 );
jused = Z_Malloc(jusedSize);
Com_Memset(jused, 0, header->instructionCount+2);
Com_Memset(jused, 0, jusedSize);
// ensure that the optimisation pass knows about all the jump
// table targets
@ -563,7 +573,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
lastConst = Constant4();
Emit4( lastConst );
if (code[pc] == OP_JUMP) {
jused[lastConst] = 1;
JUSED(lastConst);
}
break;
case OP_LOCAL:
@ -729,7 +739,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NE:
@ -739,7 +749,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTI:
@ -749,7 +759,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7D 06" ); // jnl +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEI:
@ -759,7 +769,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7F 06" ); // jnle +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTI:
@ -769,7 +779,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7E 06" ); // jng +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEI:
@ -779,7 +789,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "7C 06" ); // jnge +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTU:
@ -789,7 +799,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "73 06" ); // jnb +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEU:
@ -799,7 +809,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "77 06" ); // jnbe +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTU:
@ -809,7 +819,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "76 06" ); // jna +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEU:
@ -819,7 +829,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "72 06" ); // jnae +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_EQF:
@ -831,7 +841,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEF:
@ -843,7 +853,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTF:
@ -855,7 +865,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEF:
@ -867,7 +877,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTF:
@ -879,7 +889,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEF:
@ -891,7 +901,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
jused[v] = 1;
JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEGI: