[quake3-commits] r1717 - trunk/code/qcommon

Sun Nov 1 14:58:07 EST 2009

Author: ludwig
Date: 2009-11-01 14:58:07 -0500 (Sun, 01 Nov 2009)
New Revision: 1717

Modified:
   trunk/code/qcommon/vm.c
   trunk/code/qcommon/vm_interpreted.c
   trunk/code/qcommon/vm_local.h
Log:
more security checks in interpreter (#4249)

Modified: trunk/code/qcommon/vm.c
===================================================================

--- trunk/code/qcommon/vm.c	2009-11-01 19:58:03 UTC (rev 1716)
+++ trunk/code/qcommon/vm.c	2009-11-01 19:58:07 UTC (rev 1717)
@@ -245,7 +245,7 @@
 		return;
 	}
 
-	numInstructions = vm->instructionPointersLength >> 2;
+	numInstructions = vm->instructionCount;
 
 	// parse the symbols
 	text_p = mapfile.c;
@@ -571,8 +571,8 @@
 	}
 
 	// allocate space for the jump targets, which will be filled in by the compile/prep functions
-	vm->instructionPointersLength = header->instructionCount * 4;
-	vm->instructionPointers = Hunk_Alloc( vm->instructionPointersLength, h_high );
+	vm->instructionCount = header->instructionCount;
+	vm->instructionPointers = Hunk_Alloc( vm->instructionCount*4, h_high );
 
 	// copy or compile the instructions
 	vm->codeLength = header->codeLength;
@@ -888,7 +888,7 @@
 			Com_Printf( "interpreted\n" );
 		}
 		Com_Printf( "    code length : %7i\n", vm->codeLength );
-		Com_Printf( "    table length: %7i\n", vm->instructionPointersLength );
+		Com_Printf( "    table length: %7i\n", vm->instructionCount*4 );
 		Com_Printf( "    data length : %7i\n", vm->dataMask + 1 );
 	}
 }

Modified: trunk/code/qcommon/vm_interpreted.c
===================================================================
--- trunk/code/qcommon/vm_interpreted.c	2009-11-01 19:58:03 UTC (rev 1716)
+++ trunk/code/qcommon/vm_interpreted.c	2009-11-01 19:58:07 UTC (rev 1717)
@@ -438,10 +438,10 @@
 				Com_Error( ERR_DROP, "OP_LOAD4 misaligned" );
 			}
 #endif
-			r0 = *opStack = *(int *)&image[ r0&dataMask ];
+			r0 = *opStack = *(int *)&image[ r0&dataMask&~3 ];
 			goto nextInstruction2;
 		case OP_LOAD2:
-			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask ];
+			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask&~1 ];
 			goto nextInstruction2;
 		case OP_LOAD1:
 			r0 = *opStack = image[ r0&dataMask ];
@@ -462,7 +462,7 @@
 
 		case OP_ARG:
 			// single byte offset from programStack
-			*(int *)&image[ codeImage[programCounter] + programStack ] = r0;
+			*(int *)&image[ (codeImage[programCounter] + programStack)&dataMask&~3 ] = r0;
 			opStack--;
 			programCounter += 1;
 			goto nextInstruction;
@@ -546,7 +546,7 @@
 					Com_Printf( "%s<--- %s\n", DEBUGSTR, VM_ValueToSymbol( vm, programCounter ) );
 				}
 #endif
-			} else if ( (unsigned)programCounter >= vm->codeLength ) {
+			} else if ( (unsigned)programCounter >= vm->instructionCount ) {
 				Com_Error( ERR_DROP, "VM program counter out of range in OP_CALL" );
 			} else {
 				programCounter = vm->instructionPointers[ programCounter ];
@@ -615,8 +615,11 @@
 		*/
 
 		case OP_JUMP:
-			programCounter = r0;
-			programCounter = vm->instructionPointers[ programCounter ];
+			if ( (unsigned)r0 >= vm->instructionCount )
+				Com_Error( ERR_DROP, "VM program counter out of range in OP_JUMP" );
+
+			programCounter = vm->instructionPointers[ r0 ];
+
 			opStack--;
 			goto nextInstruction;
 

Modified: trunk/code/qcommon/vm_local.h
===================================================================
--- trunk/code/qcommon/vm_local.h	2009-11-01 19:58:03 UTC (rev 1716)
+++ trunk/code/qcommon/vm_local.h	2009-11-01 19:58:07 UTC (rev 1717)
@@ -154,7 +154,7 @@
 	int			codeLength;
 
 	int			*instructionPointers;
-	int			instructionPointersLength;
+	int			instructionCount;
 
 	byte		*dataBase;
 	int			dataMask;

