From 81ea9fb372d0c677be4d8883f83c1164d98713af Mon Sep 17 00:00:00 2001 From: "alexey.lysiuk" Date: Thu, 2 Nov 2017 18:01:13 +0200 Subject: [PATCH] Added runtime check for negative array indices in VM https://forum.zdoom.org/viewtopic.php?t=57886 --- src/scripting/vm/vmexec.h | 15 +++++++++++++++ src/scripting/vm/vmops.h | 6 +++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/scripting/vm/vmexec.h b/src/scripting/vm/vmexec.h index ec5da180f4..37c0093fa5 100644 --- a/src/scripting/vm/vmexec.h +++ b/src/scripting/vm/vmexec.h @@ -899,6 +899,11 @@ static int Exec(VMFrameStack *stack, const VMOP *pc, VMReturn *ret, int numret) ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Max.index = %u, current index = %u\n", BC, reg.d[a]); return 0; } + else if (reg.d[a] < 0) + { + ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Negative current index = %i\n", reg.d[a]); + return 0; + } NEXTOP; OP(BOUND_K): @@ -908,6 +913,11 @@ static int Exec(VMFrameStack *stack, const VMOP *pc, VMReturn *ret, int numret) ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Max.index = %u, current index = %u\n", konstd[BC], reg.d[a]); return 0; } + else if (reg.d[a] < 0) + { + ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Negative current index = %i\n", reg.d[a]); + return 0; + } NEXTOP; OP(BOUND_R): @@ -917,6 +927,11 @@ static int Exec(VMFrameStack *stack, const VMOP *pc, VMReturn *ret, int numret) ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Max.index = %u, current index = %u\n", reg.d[B], reg.d[a]); return 0; } + else if (reg.d[a] < 0) + { + ThrowAbortException(X_ARRAY_OUT_OF_BOUNDS, "Negative current index = %i\n", reg.d[a]); + return 0; + } NEXTOP; OP(CONCAT): diff --git a/src/scripting/vm/vmops.h b/src/scripting/vm/vmops.h index 97102f5de2..cfdf3fce26 100644 --- a/src/scripting/vm/vmops.h +++ b/src/scripting/vm/vmops.h @@ -122,9 +122,9 @@ xx(THROW, throw, THROW, NOP, 0, 0), // A == 0: Throw exception object pB // A == 2: (pB == ) then pc++ ; next instruction must JMP to another CATCH // A == 3: (pkB == ) then pc++ ; next instruction must JMP to another CATCH // for A > 0, exception is stored in pC -xx(BOUND, bound, RII16, NOP, 0, 0), // if rA >= BC, throw exception -xx(BOUND_K, bound, LKI, NOP, 0, 0), // if rA >= const[BC], throw exception -xx(BOUND_R, bound, RIRI, NOP, 0, 0), // if rA >= rB, throw exception +xx(BOUND, bound, RII16, NOP, 0, 0), // if rA < 0 or rA >= BC, throw exception +xx(BOUND_K, bound, LKI, NOP, 0, 0), // if rA < 0 or rA >= const[BC], throw exception +xx(BOUND_R, bound, RIRI, NOP, 0, 0), // if rA < 0 or rA >= rB, throw exception // String instructions. xx(CONCAT, concat, RSRSRS, NOP, 0, 0), // sA = sB..sC