From a7dee44defaf6ce9e944544e86df949dd25724af Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Sun, 1 Nov 2009 19:58:09 +0000
Subject: [PATCH] check const jump argument

---
 code/qcommon/vm_x86_64.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/code/qcommon/vm_x86_64.c b/code/qcommon/vm_x86_64.c
index eb83cc64..3a6eef19 100644
--- a/code/qcommon/vm_x86_64.c
+++ b/code/qcommon/vm_x86_64.c
@@ -228,7 +228,14 @@ void emit(const char* fmt, ...)
 	assemble_line(line, strlen(line));
 }
 
+#define CHECK_IARG \
+	do { if(iarg < 0 || iarg >= header->instructionCount) { \
+		Com_Error( ERR_DROP, \
+			"%s: jump target out of range at offset %d", __func__, pc ); \
+	} } while(0)
+
 #define JMPIARG \
+	CHECK_IARG; \
 	emit("movq $%lu, %%rax", vm->codeBase+vm->instructionPointers[iarg]); \
 	emit("jmpq *%%rax");
  
@@ -488,6 +495,9 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 				emit("subq $4, %%rsi");
 				break;
 			case OP_CONST:
+				if(code[pc] == OP_JUMP) {
+					CHECK_IARG;
+				}
 				emit("addq $4, %%rsi");
 				emit("movl $%d, 0(%%rsi)", iarg);
 				break;