* (bug #4249) Fix buffer overflow in x86 VM

2009-10-19 23:01:00 +00:00 · 2009-10-19 23:01:00 +00:00 · 5663ff1362
commit 5663ff1362
parent fd57c987c4
1 changed files with 29 additions and 19 deletions
--- a/code/qcommon/vm_x86.c
+++ b/code/qcommon/vm_x86.c
@ -405,6 +405,15 @@ qboolean EmitMovEBXEDI(vm_t *vm, int andit) {
 	return qfalse;
 }
 #define JUSED(x) \
 	do { \
 		if (x < 0 || x >= jusedSize) { \
 			Com_Error( ERR_DROP, \
 					"VM_CompileX86: jump target out of range at offset %d", pc ); \
 		} \
 		jused[x] = 1; \
 	} while(0)
 /*
 =================
 VM_Compile
@ -416,13 +425,14 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 	int		v;
 	int		i;
 	qboolean opt;
 	int jusedSize = header->instructionCount + 2;
 	// allocate a very large temp buffer, we will shrink it later
 	maxLength = header->codeLength * 8;
 	buf = Z_Malloc( maxLength );
-	jused = Z_Malloc(header->instructionCount + 2 );
+	jused = Z_Malloc(jusedSize);
-	Com_Memset(jused, 0, header->instructionCount+2);
+	Com_Memset(jused, 0, jusedSize);
 	// ensure that the optimisation pass knows about all the jump
 	// table targets
@ -563,7 +573,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			lastConst = Constant4();
 			Emit4( lastConst );
 			if (code[pc] == OP_JUMP) {
-				jused[lastConst] = 1;
+				JUSED(lastConst);
 			}
 			break;
 		case OP_LOCAL:
@ -729,7 +739,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "75 06" );		// jne +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_NE:
@ -739,7 +749,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "74 06" );		// je +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_LTI:
@ -749,7 +759,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "7D 06" );		// jnl +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_LEI:
@ -759,7 +769,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "7F 06" );		// jnle +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_GTI:
@ -769,7 +779,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "7E 06" );		// jng +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_GEI:
@ -779,7 +789,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "7C 06" );		// jnge +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_LTU:
@ -789,7 +799,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "73 06" );		// jnb +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_LEU:
@ -799,7 +809,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "77 06" );		// jnbe +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_GTU:
@ -809,7 +819,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "76 06" );		// jna +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_GEU:
@ -819,7 +829,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "72 06" );		// jnae +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;
 		case OP_EQF:
@ -831,7 +841,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "74 06" );		// je +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_NEF:
@ -843,7 +853,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "75 06" );		// jne +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_LTF:
@ -855,7 +865,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "74 06" );		// je +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_LEF:
@ -867,7 +877,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "74 06" );		// je +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_GTF:
@ -879,7 +889,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "75 06" );		// jne +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_GEF:
@ -891,7 +901,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 			EmitString( "75 06" );		// jne +6
 			EmitString( "FF 25" );		// jmp	[0x12345678]
 			v = Constant4();
-			jused[v] = 1;
+			JUSED(v);
 			Emit4( (int)vm->instructionPointers + v*4 );
 			break;			
 		case OP_NEGI: