[quake3-commits] r1687 - trunk/code/qcommon
DONOTREPLY at icculus.org
DONOTREPLY at icculus.org
Mon Oct 19 19:01:00 EDT 2009
Author: tma
Date: 2009-10-19 19:01:00 -0400 (Mon, 19 Oct 2009)
New Revision: 1687
Modified:
trunk/code/qcommon/vm_x86.c
Log:
* (bug #4249) Fix buffer overflow in x86 VM
Modified: trunk/code/qcommon/vm_x86.c
===================================================================
--- trunk/code/qcommon/vm_x86.c 2009-10-19 22:36:17 UTC (rev 1686)
+++ trunk/code/qcommon/vm_x86.c 2009-10-19 23:01:00 UTC (rev 1687)
@@ -405,6 +405,15 @@
return qfalse;
}
+#define JUSED(x) \
+ do { \
+ if (x < 0 || x >= jusedSize) { \
+ Com_Error( ERR_DROP, \
+ "VM_CompileX86: jump target out of range at offset %d", pc ); \
+ } \
+ jused[x] = 1; \
+ } while(0)
+
/*
=================
VM_Compile
@@ -416,13 +425,14 @@
int v;
int i;
qboolean opt;
+ int jusedSize = header->instructionCount + 2;
// allocate a very large temp buffer, we will shrink it later
maxLength = header->codeLength * 8;
buf = Z_Malloc( maxLength );
- jused = Z_Malloc(header->instructionCount + 2 );
+ jused = Z_Malloc(jusedSize);
- Com_Memset(jused, 0, header->instructionCount+2);
+ Com_Memset(jused, 0, jusedSize);
// ensure that the optimisation pass knows about all the jump
// table targets
@@ -563,7 +573,7 @@
lastConst = Constant4();
Emit4( lastConst );
if (code[pc] == OP_JUMP) {
- jused[lastConst] = 1;
+ JUSED(lastConst);
}
break;
case OP_LOCAL:
@@ -729,7 +739,7 @@
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NE:
@@ -739,7 +749,7 @@
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTI:
@@ -749,7 +759,7 @@
EmitString( "7D 06" ); // jnl +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEI:
@@ -759,7 +769,7 @@
EmitString( "7F 06" ); // jnle +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTI:
@@ -769,7 +779,7 @@
EmitString( "7E 06" ); // jng +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEI:
@@ -779,7 +789,7 @@
EmitString( "7C 06" ); // jnge +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTU:
@@ -789,7 +799,7 @@
EmitString( "73 06" ); // jnb +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEU:
@@ -799,7 +809,7 @@
EmitString( "77 06" ); // jnbe +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTU:
@@ -809,7 +819,7 @@
EmitString( "76 06" ); // jna +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEU:
@@ -819,7 +829,7 @@
EmitString( "72 06" ); // jnae +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_EQF:
@@ -831,7 +841,7 @@
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEF:
@@ -843,7 +853,7 @@
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LTF:
@@ -855,7 +865,7 @@
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_LEF:
@@ -867,7 +877,7 @@
EmitString( "74 06" ); // je +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GTF:
@@ -879,7 +889,7 @@
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_GEF:
@@ -891,7 +901,7 @@
EmitString( "75 06" ); // jne +6
EmitString( "FF 25" ); // jmp [0x12345678]
v = Constant4();
- jused[v] = 1;
+ JUSED(v);
Emit4( (int)vm->instructionPointers + v*4 );
break;
case OP_NEGI:
More information about the quake3-commits
mailing list