more security checks in interpreter (#4249)

code/qcommon/vm_interpreted.c

@@ -438,10 +438,10 @@ nextInstruction2:
 				Com_Error( ERR_DROP, "OP_LOAD4 misaligned" );
 			}
 #endif
-			r0 = *opStack = *(int *)&image[ r0&dataMask ];
+			r0 = *opStack = *(int *)&image[ r0&dataMask&~3 ];
 			goto nextInstruction2;
 		case OP_LOAD2:
-			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask ];
+			r0 = *opStack = *(unsigned short *)&image[ r0&dataMask&~1 ];
 			goto nextInstruction2;
 		case OP_LOAD1:
 			r0 = *opStack = image[ r0&dataMask ];
@@ -462,7 +462,7 @@ nextInstruction2:
 
 		case OP_ARG:
 			// single byte offset from programStack
-			*(int *)&image[ codeImage[programCounter] + programStack ] = r0;
+			*(int *)&image[ (codeImage[programCounter] + programStack)&dataMask&~3 ] = r0;
 			opStack--;
 			programCounter += 1;
 			goto nextInstruction;
@@ -546,7 +546,7 @@ nextInstruction2:
 					Com_Printf( "%s<--- %s\n", DEBUGSTR, VM_ValueToSymbol( vm, programCounter ) );
 				}
 #endif
-			} else if ( (unsigned)programCounter >= vm->codeLength ) {
+			} else if ( (unsigned)programCounter >= vm->instructionCount ) {
 				Com_Error( ERR_DROP, "VM program counter out of range in OP_CALL" );
 			} else {
 				programCounter = vm->instructionPointers[ programCounter ];
@@ -615,8 +615,11 @@ nextInstruction2:
 		*/
 
 		case OP_JUMP:
-			programCounter = r0;
-			programCounter = vm->instructionPointers[ programCounter ];
+			if ( (unsigned)r0 >= vm->instructionCount )
+				Com_Error( ERR_DROP, "VM program counter out of range in OP_JUMP" );
+
+			programCounter = vm->instructionPointers[ r0 ];
+
 			opStack--;
 			goto nextInstruction;